Curtis K. Shrote
shrote at arlut.utexas.edu
Wed Feb 12 18:35:58 GMT 2003
Fuzzy here wrt details:
I seem to recall an ecommerce site that paid something to the tune of
$300 for each expose of private information (CC#s, address, etc.) as
(what I would estimate to be) a preemptive strike against a lawsuit.
There is also the costs associated with eliminating the effects of ID
theft. These range in the $100s to several $1000 per instance. This
would be a potential monetary liability if proved it originated from
your organization's computers. Let's not even consider grief/suffering.
There are HIPAA concerns with hefty per incident fines and even prison
time for various grades of exposure of medical data. This would most
likely affect computers in HR or university clinics. The low end fine is
$100 with the top being $250,000 (includes up to 10 years jail time).
Fuzzy here wrt details:
There was a DoS attack against Nike (I think) in which an ISP has been
taken to court to recover damages. Maybe this was the other way around.
There is the cost of bandwidth associated with various attacks that
consume major slices of network capacity.
There is the cost of rebuilding machines affected by an attack to 'kick'
offenders off and correct any damage.
There is the cost of data reconstruction/verification etc. after a
machine has been attacked.
The bottom line seems to be that lawyers are starting to figure out how
to calculate economic damages.
Although this could be a long an drawn out email, in a nutshell -
Analysis to determine exposure risks and ultimately ($$) is a difficult
and long process. This would be the formal way to attain your goal. At
that point the decision is to spend no more than the yearly liability
expected. It does not seem like your organization would pay for a formal
risk study. Do you have historical data on security events and man-hour
etc. related costs?
a double edged sword question -
Perhaps an initiating starter question to them would be how much is the
organization willing/able to absorb in $$ per year to fix security
related events. Consider this their self insurance amount. How much
would they pay for an insurance policy to absorb that loss? (Note
insurance companies are still generally trying to figure it out) That
might help with generating a wave of the hand estimate for security funding.
I just recently saw an interesting 9/11 related article about an CSO
that presented a comprehensive plan to the directors of a company prior
to 9/11. The directors didn't act on (funding etc.) the plan. They were
impacted. The CSO was fired for failing to convince the directors that
the plan need to be implemented. (Oh, that had to hurt):
Selling it is hard (no apparent slap'em in the face ROI). Security is
always easier to value after the incident.
Mark Newman wrote:
> Not asking anyone to "air any dirty laundry" but, even any general
> anecdotes would be very helpful to us in pleading our case.
> Thank you,
> Mark Newman
> University of Tennessee
More information about the unisog