Nick,
Thanks for your answer. I'm aware of situation that every organization
has different process of ISMS implementation. What I'm trying to do is
to analyze and find the best way how to calculate security investment.
Is it a cap, ROI, NVP... or some other known method, to me it doesn't
matter.
I will appreciate every good advice on that subject. I just want to see
as realistic number as possible.
Zaklina
-----Original Message-----
From: Nick Owen [mailto:nickowen@mindspring.com]
Sent: Monday, January 17, 2005 9:00 PM
To: Zaklina Supica
Cc: security-management@securityfocus.com
Subject: Re: ROSI
Zaklinka:
You won't be able to find much, if anything about the economics of
implementing BS 7799 because I suspect that each implementation would be
very different and that no one has aggregated the information - perhaps
because few companies actually track it. Rather, they are forced to
comply to some standard by a large customer or a government regulation.
As for ROSI, I'm not a fan of ROI and its ilk as it can lead to
distortions in decision making, in particular for info sec. Information
security investments should be about risk mitigation and ROI doesn't
take risk into account. Say you have two projects: invest $20k and
return $2k/period and invest $10k and return $1k/period. The ROI and
payback are the same. But, if the first project is riskier than the
second, you should do the second. ROI won't tell you that. Using a Cap
rate, NPV, IRR or economic profit would.
You can read more at my (new) blog:
http://www.wikidsystems.com/WiKIDBlog,
HTH,
nick
On Sat, 2005-01-15 at 12:14 +0100, Zaklina Supica wrote:
Hi,
I'm very interested in some data about ROSI in general, and some
figures ($) about ROSI and BS 7799 complied ISMS (if they exist).
Thanks,
Zaklina Supica
Tel: +385 1 6129 781
Fax: +385 1 6129 889
http://security.lss.hr
--
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
