Zaklinka,
I've was chewing on my last response in the back of my head, when I had
a little mini 'aha' moment and it occurred to me that you can take a
weighted average of a number of critical factors (likelihood of attack,
ease of attacks, etc) and come up with an estimated 'risk multiple'
between two scenarios (LAN without WiFi, LAN with WiFi, e.g.). You
could then say 'Plan A is X times more risky than Plan B". I think it
gets you looking at the right factors at a deeper level, even if it's
still guesswork.
I have posted a table of the analysis on my blog, which makes it
clearer:
http://www.wikidsystems.com/WiKIDBlog
It points out the need for security pros to keep on top of changes. For
example, your risk model recently changed if you used a PPTP vpn. With
the most recent release of asleap, PPTP is vulnerable to a passive
brute-force password attack by a download-able automated tool. Now the
math of "ease of attack" time "likelihood" has gone way up.
HTH, I've sure enjoyed thinking about it.
Nick
On Tue, 2005-01-18 at 16:56 +0100, Zaklina Supica wrote:
Nick,
Thanks for your answer. I'm aware of situation that every organization
has different process of ISMS implementation. What I'm trying to do is
to analyze and find the best way how to calculate security investment.
Is it a cap, ROI, NVP... or some other known method, to me it doesn't
matter.
I will appreciate every good advice on that subject. I just want to see
as realistic number as possible.
Zaklina
-----Original Message-----
From: Nick Owen [mailto:nickowen@mindspring.com]
Sent: Monday, January 17, 2005 9:00 PM
To: Zaklina Supica
Cc: security-management@securityfocus.com
Subject: Re: ROSI
Zaklinka:
You won't be able to find much, if anything about the economics of
implementing BS 7799 because I suspect that each implementation would be
very different and that no one has aggregated the information - perhaps
because few companies actually track it. Rather, they are forced to
comply to some standard by a large customer or a government regulation.
As for ROSI, I'm not a fan of ROI and its ilk as it can lead to
distortions in decision making, in particular for info sec. Information
security investments should be about risk mitigation and ROI doesn't
take risk into account. Say you have two projects: invest $20k and
return $2k/period and invest $10k and return $1k/period. The ROI and
payback are the same. But, if the first project is riskier than the
second, you should do the second. ROI won't tell you that. Using a Cap
rate, NPV, IRR or economic profit would.
You can read more at my (new) blog:
http://www.wikidsystems.com/WiKIDBlog,
HTH,
nick
On Sat, 2005-01-15 at 12:14 +0100, Zaklina Supica wrote:
Hi,
I'm very interested in some data about ROSI in general, and some
figures ($) about ROSI and BS 7799 complied ISMS (if they exist).
Thanks,
Zaklina Supica
Tel: +385 1 6129 781
Fax: +385 1 6129 889
http://security.lss.hr
