> > identify risk (fx. e-commerce site that brings > $10M yearly=>1 day downtime=$300K=>1 hour > downtime=$10K) > > cover risk by realtime log auditing.. (costs fx > $7K daily) > > > > profit=> risk value*risk probability - > countermeasure=$40K monthly > > > > This works for straight commercial front end system, On the surface, yes, it does. But it assumes a lot and is very, very specific to the system in question. It's not scalable or translatable at all. Take an IIS front end web server. It would have taken approx 15 seconds to secure it against Code Red, even a year ago. If 1 hr of downtime translates to $10K, and the system would not have had to have been taken down to prevent a Code Red infection (simply disable the script mapping), then what is the cost? Now, what happened when Code Red hit? How many incidents are mishandled due to lack of policy/procedure, or an under-trained staff? How many incidents are said to cost hundreds of thousands of dollars in man-hours and downtime, when a better trained staff could have recovered the system in less time, with no down-time? > but how to you cost > a breakin to HR or other system that isn't critical > to your ability to > do business. The cost is definitely greater than > the time to make good > the damage but by how much? How does on cost > employees privacy? I don't see how you get to a greater cost for what you describe as a non-critical system. However, I think your point is taken...how does one show the cost of an incident to a non-critical system like an HR database (given that it affects employee privacy, I wouldn't call it non-critical)? What about the ROI of security? Take the Code Red example again...lots of folks out there know how long it took to clean up and can compute a cost based on total man-hours and downtime of systems. However, if it would take 4 hrs to write and deploy a script to protect, say, 100 IIS servers against Code Red...how does one show ROI? You've got the 4 hours to show for your proactive efforts, but you have no reactive costs (like so many others do) to compare it to... __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 21:31:03 PST