A.Cormack at ukerna.ac.uk
Thu Feb 20 15:21:35 GMT 2003
The University of Michigan and others published a report of an Incident
Cost Analysis and Modelling Project in 1998, which has some useful
figures. The report was only available in printed form to purchase, but
I found an executive summary through Google. I believe there were plans
to update the survey but don't know if anything came of it.
The report does walk throughs of 30 different incidents and tries to
estimate the costs of each, though a lot of the figures are likely to be
underestimates as they weren't able to quantify things like reputation
damage or external liability. So the really costly incidents are the
ones that leave a lot of staff doing nothing for a day or so: the cost
of that wasted effort far exceeds the cost of systems staff or hardware
I tried to do a similar collection of anonymised reports in the UK a few
years ago but got very few volunteers, I'm afraid.
Chief Security Advisor
UKERNA, Atlas Centre, Chilton, Didcot, Ox11 0QS, UK
Phone: +44 (0)1235 822302
Fax: +44 (0)1235 822399
> -----Original Message-----
> From: Mark Newman [mailto:mnx at utk.edu]
> Sent: 12 February 2003 15:00
> To: unisog at sans.org
> Subject: [unisog] justification
> Pardon me if this seems like an audacious thing to ask...
> Does anyone care to mention any specific incidents that caused your
> organization financial loss or to be in a legally liable position
> because of failure to implement some form of information security
> policy, device, etc.?
> We are seeking justification for expenditure. Our organization doesn't
> care if implementing this or that meets standards. Our
> organization is,
> like most, concerned with legal/financial liability and other
> much less
> tangible losses (like prestige) resulting from security incidents.
> Not asking anyone to "air any dirty laundry" but, even any general
> anecdotes would be very helpful to us in pleading our case.
> Thank you,
> Mark Newman
> University of Tennessee
More information about the unisog