[unisog] justification

Curtis K. Shrote shrote at arlut.utexas.edu
Wed Feb 12 18:35:58 GMT 2003

Fuzzy here wrt details:
I seem to recall an ecommerce site that paid something to the tune of 
$300 for each expose of private information (CC#s, address, etc.) as 
(what I would estimate to be) a preemptive strike against a lawsuit.

There is also the costs associated with eliminating the effects of ID 
theft. These range in the $100s to several $1000 per instance. This 
would be a potential monetary liability if proved it originated from 
your organization's computers. Let's not even consider grief/suffering.

There are HIPAA concerns with hefty per incident fines and even prison 
time for various grades of exposure of medical data. This would most 
likely affect computers in HR or university clinics. The low end fine is 
$100 with the top being $250,000 (includes up to 10 years jail time).

Fuzzy here wrt details:
There was a DoS attack against Nike (I think) in which an ISP has been 
taken to court to recover damages. Maybe this was the other way around. 

There is the cost of bandwidth associated with various attacks that 
consume major slices of network capacity.

There is the cost of rebuilding machines affected by an attack to 'kick' 
offenders off and correct any damage.

There is the cost of data reconstruction/verification etc. after a 
machine has been attacked.

The bottom line seems to be that lawyers are starting to figure out how 
to calculate economic damages.

Although this could be a long an drawn out email, in a nutshell -
Analysis to determine exposure risks and ultimately ($$) is a difficult 
and long process. This would be the formal way to attain your goal. At 
that point the decision is to spend no more than the yearly liability 
expected. It does not seem like your organization would pay for a formal 
risk study. Do you have historical data on security events and man-hour 
etc. related costs?

a double edged sword question -
Perhaps an initiating starter question to them would be how much is the 
organization willing/able to absorb in $$ per year to fix security 
related events. Consider this their self insurance amount. How much 
would they pay for an insurance policy to absorb that loss? (Note 
insurance companies are still generally trying to figure it out) That 
might help with generating a wave of the hand estimate for security funding.

In closing:

I just recently saw an interesting 9/11 related article about an CSO 
that presented a comprehensive plan to the directors of a company prior 
to 9/11. The directors didn't act on (funding etc.) the plan. They were 
impacted. The CSO was fired for failing to convince the directors that 
the plan need to be implemented. (Oh, that had to hurt):

Selling it is hard (no apparent slap'em in the face ROI). Security is 
always easier to value after the incident.

Mark Newman wrote:

> Not asking anyone to "air any dirty laundry" but, even any general
> anecdotes would be very helpful to us in pleading our case.
> Thank you,
> Mark Newman
> University of Tennessee

More information about the unisog mailing list