The Economics of Information Security

Upcoming Events

Cloud Connect March 16-18

Comprehensive thought leadership for executives, IT professionals and developers. Topics include: the ROI, cost and economics of on-demand computing; Migration strategies to move from on-premise to cloud-based IT; Vertical cloud specialization, tailoring features and architectures to specific applications, industries, and customer ecosystems

Email Print Share

0 Comments

The Economics of Information Security

Posted by Lawrence A. Gordon and Robert Richardson on March 26, 2004

Learning the Lingo

"I go to security conferences where we all sit around puzzling about what kind of metrics to use for measuring the results of security programs," says Adam Stone, an analyst who specializes in security management for the financial services industry. "The metrics we have right now--the ones we use for assessing vulnerability and measuring the effectiveness of our investments--are all based on subjective judgments. They're fundamentally flawed. But there are financial, statistical, economics and securities professionals who deal with these kinds of uncertainties all the time, with methods that allow them to predict and measure business effectiveness in a rational way. We can learn from them."

The situation reflects the relative immaturity of the infosec industry, Stone adds. "People in information security are often technicians--gearheads," he says. "Very few of us have come up through the ranks of accounting or financial management, so we don't think in those terms."

Of course, it's not entirely true that security professionals never think in the same terms as financial officers. The information security manager at a Fortune 100 corporation, for instance, has implemented a program to measure rates of return on the company's IPS (intrusion-prevention system), including a checklist of costs incurred to address problems flagged by the system.

Average Loss Per Respondant

click to enlarge

Oracle took a similar approach when it wanted to replace a data center IPS. "We did an analysis of how many alerts we got, how many people it took to run those alerts down and how many of those [alerts] were false positives," says Mary Ann Davidson, chief security officer at Oracle. "For the IDS we had in place, we got something like 80,000 alerts a week, and the false-positive rate was 60 percent to 70 percent. We looked at that versus the system we were piloting, where we found we had far fewer alerts and the ones we got were higher quality. So we said, how many people would we have to hire to make sense of the system we had? It turned out to cost a lot less to replace the system right away."

Page: 1 2 3 4 5 6 Next »

0 Comments

Add Comment

Add Your Comment:

State of Enterprise Storage

Continuing to throw precious resources at escalating storage and bandwidth demand isn't a strategy, it's a recipe for disaster. Diverse drivers - from environmental concerns to regulation to data security to business continuity - mandate a new path. Are you ready?

The ROI and TCO Benefits of Data Deduplication for Data Protection in the Enterprise

Deduplication storage is quickly becoming the standard for disk-based backup and nearline storage use in enterprise data centers across many industries. Download this paper which examines and quantifies the costs and benefits of backup with deduplication.

VMware Data Backup and Recovery Best Practices

Download this guide to learn best practices for architecting a backup/recovery/DR approach for VMware using Data Domain storage, regardless of which backup software or scripts are involved.