On Thursday 26 February 2004 04:11 am, Stefano Zanero wrote:

<snip>

>
> Right. Security investment can be managed and evaluated with the same
> approach as business insurances. Does an insurance produce ROI ? No,
> it doesn't, but it lowers the risk to that ROI.
>
<snip>

>
> These are the questions that managers ask themselves when evaluating,
> for instance, wether they can afford insurance against theft, or they
> are willing to throw the money to phisical security, or both, or if
> they are more willing to cover the eventual cost of theft itself
> instead.
>
> Whenever anyone talks about ROI in security investment, you should
> raise an eyebrow (Gartner reports, anyone ?).

Yes. Information security is part of an organization's risk management
process. The "closest-to-home" illustration of that is the
certification and accreditation process. "ROI in Security Investement"
is a red herring. Either an organization manages its risk or it
doesn't. The "ROI" is the catalogue of risks the organization elects
to manage (as opposed to those accepted as residual risk).

#include std_riskmanagement_rant.h

Cheers,

George Capehart
--
George W. Capehart

Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA

"Does getiud(2) halt the spawning of child processes?"
-- Unknown from a very old fortune cookie file

------------------------------------------------------------------------
---
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
------------------------------------------------------------------------
---

[ reply ]