Network Computingwww.networkcomputing.com

The Economics of Information Security

Posted by Lawrence A. Gordon and Robert Richardson
March 26, 2004

Tags: Computer Security Institute, IRR, Infosec managers, NPV, ROI, cybercrime, economics, financial economics, financial practices, information security managers, infosec, infosec industry, internal rate of return, investments, net present value, return on investment, security breaches, security infrastructure, security measures, security professionals, Administration, Business/Finance/Careers, Business/Finance/Security Spending and Costs, Compliance and Policy Management, Data Protection, Government/Legal/Regulatory, Governmental Security Issues, Lawrence A. Gordon, Other, Privacy, Software and Web Development

Channel: Other, Data Protection

Learning the Lingo

"I go to security conferences where we all sit around puzzling about what kind of metrics to use for measuring the results of security programs," says Adam Stone, an analyst who specializes in security management for the financial services industry. "The metrics we have right now--the ones we use for assessing vulnerability and measuring the effectiveness of our investments--are all based on subjective judgments. They're fundamentally flawed. But there are financial, statistical, economics and securities professionals who deal with these kinds of uncertainties all the time, with methods that allow them to predict and measure business effectiveness in a rational way. We can learn from them."

The situation reflects the relative immaturity of the infosec industry, Stone adds. "People in information security are often technicians--gearheads," he says. "Very few of us have come up through the ranks of accounting or financial management, so we don't think in those terms."

Of course, it's not entirely true that security professionals never think in the same terms as financial officers. The information security manager at a Fortune 100 corporation, for instance, has implemented a program to measure rates of return on the company's IPS (intrusion-prevention system), including a checklist of costs incurred to address problems flagged by the system.

Average Loss Per Respondant Page:  1 | 2 |3 |4 |5 |6 |Next Page » Related Reading News Most Popular News Network Managers: Know Thyself Encryption, Data-Centric Approach Needed To Secure Cloud, Mobile Users HP Refreshes DDMA Toolset Big Switch Networks Intros Open-Source OpenFlow Controller More News» Most Popular Why I Like Juniper's QFabric (And A Mea Culpa) HP Storage Tech Day Forecast: 10GbE To Be The Top-Selling Ethernet Switch By 2016 A Brief Introduction To OpenFlow More Popular» Commentary On the Web Commentary Why I Like Juniper's QFabric (And A Mea Culpa) Thai Flooding Drives Disk Prices Up, Warranties Down Transferring DNS Registrars Not A Problem Hybrid Cloud's Burst Bubble More Commentary» On the Web Valley View: Hot Trends, Cool Toys AT&T Takes the Oath on T-Mobile Merger Survey: Execs at Interop say more companies migrate to cloud HP Beefs Up Consulting To Help Clients Better Align IT And Business Strategies More On The Web» More data-protection Insights White Papers How To Regain IT Control In An Increasingly Mobile World - by BlackBerry The BlackBerry PlayBook tablet's Good Bones - by BlackBerry More >> Webcasts Maximize ROI with Database Consolidation onto Private Clouds Server Virtualization Gets Relief From Tivoli Storage Manager for Virtual Environments More >> Currently we allow the following HTML tags in comments: Single tags These tags can be used alone and don't need an ending tag. <br> Defines a single line break <hr> Defines a horizontal line Matching tags These require an ending tag - e.g. <i>italic text</i> <a> Defines an anchor <b> Defines bold text <big> Defines big text <blockquote> Defines a long quotation <caption> Defines a table caption <cite> Defines a citation <code> Defines computer code text <em> Defines emphasized text <fieldset> Defines a border around elements in a form <h1> This is heading 1 <h2> This is heading 2 <h3> This is heading 3 <h4> This is heading 4 <h5> This is heading 5 <h6> This is heading 6 <i> Defines italic text <p> Defines a paragraph <pre> Defines preformatted text <q> Defines a short quotation <samp> Defines sample computer code text <small> Defines small text <span> Defines a section in a document <s> Defines strikethrough text <strike> Defines strikethrough text <strong> Defines strong text <sub> Defines subscripted text <sup> Defines superscripted text <u> Defines underlined text Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.   To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.   Research and Reports FEATURED RESEARCH State of Server Technology FEATURED STRATEGY The Long-Distance LAN Register for Network Computing Pro Find hundreds of reports featuring research from your peers, and best practices from top IT pros. Sign Up Hypervisor Derby August 2011 Video WATCH: Box.net CEO Aaron Levie Takes On Microsoft WATCH: HP Chairman Ray Lane: Focus On Innovation WATCH: How OpenFlow Changes Networking WATCH: Holiday Gift Guide For Tech Gadget Lovers WATCH: Valley View: Hot Trends, Cool Toys WATCH: ���Big Data, Big Decisions, Big Impact" ... WATCH: Solar-Powered Mobile Device Charging Goes Soc ... WATCH: Q&A: Reid Hoffman, Partner at Greylock, Co-Fo ... WATCH: High Order Bit: PepsiCo Inc. -- Frank Cooper ... View All Videos Previous Page Next Page Most Popular Stories Blogs Security Falling Short When It Comes To Dealing With Growing Cyber Attacks Encryption, Data-Centric Approach Needed To Secure Cloud, Mobile Users EMC Delivers On Server-Based Flash Storage Semantic Technology Key To Mastering Data Growth, Analysis F5 Networks 'Fixes' Data Center Security More Stories » EMC's Lightning Strikes What Comes After RAID? Erasure Codes More on Advanced Erasure Codes Storage Clusters - Tightly Coupled vs. Loosely Coupled Breaking Down Vendor Strategy In New Markets Featured Whitepapers Mobile BI: Actionable Intelligence for the Agile Enterprise Creating the Enterprise-Class Tablet Environment - by Yankee Group The BlackBerry PlayBook tablet's Good Bones - by BlackBerry Red Alert: Why Tablet Security Matters - by BlackBerry New Visual and Wizard-Driven Paradigms for Exploring Data and Developing Analytic Workflows Featured Reports Strategy: SIEM Research: 2012 State of Cloud Computing Strategy: How to Pick Endpoint Protection Strategy: Smartcard Security Research: State of Unified Communications 2012 BlogRoll Bits or Pieces? Brad Casemore Brad Hedlund Etherealmind IOShints Stephen Foskett, Pack Rat Steve's IT Rants The Storage Architect StorageMojo TechWeb Careers There are a number of job listing scams naming Network Computing. For our official career postings, please see UBM TechWeb Career Opportunities. Enabling People and Organizations to Harness the Transformative Power of Technology CIOs & IT Professionals Black Hat BYTE Cloud Connect Dark Reading Enterprise 2.0 Enterprise Connect Enterprise Efficiency HDI InformationWeek InformationWeek 500 InformationWeek 500 Conference InformationWeek Events InformationWeek Global CIO InformationWeek Healthcare InformationWeek India InformationWeek Reports InformationWeek SMB Interop Mobile Connect Network Computing No Jitter TechWeb.com The BrainYard Software Developers Dr. Dobb's Dr. Dobb's M-Dev Dr. Dobb's Journal Dr. Dobb's Update TechWeb.com Web & Digital Professionals Internet Evolution Online Marketing Summit TechWeb.com Government Officials GTEC Ottawa InformationWeek Government TechWeb.com Vertical Markets Advanced Trading Bank Systems & Technology CreateYourNextCustomer InformationWeek Government InformationWeek Healthcare Insurance & Technology Light Reading / Telecom The CMO Site Wall Street & Technology Game Industry Professionals Gamasutra.com Game Developers Conference (GDC) Independent Games Festival Game Developer Magazine GDC Europe GDC China Game Career Guide Game Advertising Online Global Communications Service Providers 4G World Heavy Reading Heavy Reading Insiders Pyramid Research Light Reading Light Reading India Light Reading Mobile Light Reading Cable Light Reading Europe Light Reading Asia Ethernet Expo TelcoTV Tower Summit Light Reading Live & Virtual Events Webinars Most Popular Cable Catchup Cloud Connect Blog Digital Life Evil Bytes InformationWeek Reports Interop Blog Monkey Bidness Over the Air Personal Tech The Philter Valley Wonk UBM TechWeb Reader Services About UBM TechWeb Advertising Contacts Technology Marketing Solutions Contact Us Feedback Reprints TechWeb Digital Library / White Papers TechWeb Events Calendar TechWeb.com Terms of Service | Privacy Statement | Copyright © 2012 UBM TechWeb, All rights reserved. Network Computing Home Backup & Recovery Cloud Computing Cloud Storage Data Center Data Protection Networking & Mgmt Openflow Servers & Storage Storage & Mgmt UC & VoIP Virtualization WAN & App Acceleration Wireless Research & Tools Careers About Us Contact Us White Papers Briefing Centers Advertising Contacts Technology Marketing Solutions