Thanks for the info ... let me give you a summary of waht I say and what I am getting. I think Shaun hit the nail on the head, and is reinforced by the infosec mag and cio articules I list below. How severe is the threat? From the replies then I am looking at a base model firewall and an anti-virus package for the company. These we have. And both have been effective ... the first for policing users going to inappropirate sites, and the second for the e-mail virus blitz from last year. We had been hit with a virus about 7 years ago, but since then we have been running AV stuff and it has been good. What I am finding thought is that beyond some simple procudures (current firewall and anti-virus software) the threat level that I am seeing in approaching 0. This makes security a non-issue. And this is for a rather large company in the Northwest. Looking at a house analogy ... spend some money on locks.. and forget it. If you are a bank or live in a 'bad section of town' (e.g. government site, defense contractor) then it might be worth the money, but otherwise it is a waste. Has anyone on the list had to do an ROI for another company? I am curious what kinds of numbers youget because the number I work don't come close to much of anything (see below). The one factor that is listed that I can't reconcile is the use of our machines to attack someone else ... all I can expect is that is a site detects such an attack then they notify us and we will act. So going into more detail. Note on downtime ... unless the systems are down for 3+ days then the REAL impact to the company is probably 0. Phones and hand-written back-up can keep the wheels turning for a time. * Honeypot - This justifies at least some level of firewall, but do I need more? * Cert.org info - no level of granularity on the stats. * Costs - So far we have been up for 10 years on the internet. We have had 0 hours of downtime from intusions since then. What is gained from spending an additional $100K on security? * Downtime ... if I have 1 day downtime/ 10year of uptime. And the cost of that downtime is $100K per day ... then It is better for me to take the $100K hit than to spend $10K per year on security. * Risk .. what is the worst possibel scenario? I suppose a malicios hacker could get into the networks and corrupt data without our detection. If so then I lose a days worth of work and go back to back-ups ... this happens occasionally from normal user mistakes. This is the Annul Los * Expense Figures <http://www.cio.com/archive/021502/security.html> <http://www.cio.com/archive/021502/security_sidebar.html> There is additional info in http://www.infosecuritymag.com/images/Security.pdf This has some good info, but based on the metric still says no to security. Threat x % Success x Cost = $$$ 1.day x .0003 x 100000 = $300/day = $10K yr Another dollar and sense article goes to a little more detail, but the same basics: http://online.securityfocus.com/infocus/1608 Where the numbers are Exposure (EV) x Asset (AV) Steve
This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 13:12:41 PDT