Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ROSI

from [Matthew Caston] Network Security [Permanent Link]
Subject: Re: ROSI
Date: Thu, 20 Jan 2005 16:15:34 -0600
Zaklina,
You may want to investigate (Average) Annual Loss Expectancy (AALE or ALE) as a variable in your analysis - it can serve as a guidepost, and should certainly be considered during any risk analysis/ROI exercise. Do a search on the cio.com or csoonline.com sites - I know they've published several pieces relevant to your question and have hosted several moderated discussions..a quick look shows they have a number of links to applicable resources.

Good Luck....
Zaklina Supica wrote:

Nick,

Thanks for your answer. I'm aware of situation that every organization
has different process of ISMS implementation. What I'm trying to do is
to analyze and find the best way how to calculate security investment.
Is it a cap, ROI, NVP... or some other known method, to me it doesn't
matter.

I will appreciate every good advice on that subject. I just want to see
as realistic number as possible. 

Zaklina

-----Original Message-----
From: Nick Owen [mailto:nickowen@mindspring.com] Sent: Monday, January 17, 2005 9:00 PM
To: Zaklina Supica
Cc: security-management@securityfocus.com
Subject: Re: ROSI

Zaklinka:

You won't be able to find much, if anything about the economics of
implementing BS 7799 because I suspect that each implementation would be
very different and that no one has aggregated the information - perhaps
because few companies actually track it.  Rather, they are forced to
comply to some standard by a large customer or a government regulation.

As for ROSI, I'm not a fan of ROI and its ilk as it can lead to
distortions in decision making, in particular for info sec.  Information
security investments should be about risk mitigation and ROI doesn't
take risk into account.  Say you have two projects:  invest $20k and
return $2k/period and invest $10k and return $1k/period.  The ROI and
payback are the same.  But, if the first project is riskier than the
second, you should do the second. ROI won't tell you that.  Using a Cap
rate, NPV, IRR or economic profit would.

You can read more at my (new) blog:
http://www.wikidsystems.com/WiKIDBlog, 

HTH,

nick

On Sat, 2005-01-15 at 12:14 +0100, Zaklina Supica wrote:


Hi,



I'm very interested in some data about ROSI in general, and some
figures ($) about ROSI and BS 7799 complied ISMS (if they exist).





Thanks,





Zaklina Supica

Tel: +385 1 6129 781
Fax: +385 1 6129 889

http://security.lss.hr








[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ROSI, Nick Owen
Next by Date:  Re: ROSI, Nick Owen
Previous by Thread:  RE: ROSI, Nick Owen
Next by Thread:  Re: ROSI, Nick Owen
Indexes:  [Date] [Thread] [Top] [All Lists]