| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <OF764FCF1E.6B1B77B7-ON87256E70.005E3521-88256E70.005EDAF7@us.ibm.com>
From: jleffler at us.ibm.com (Jonathan Leffler)
Subject: Re: ROSI
"Curt Purdy" <purdy@...man.com> wrote:
> ROSI [...] Annual Loss Expectancy (ALE) was figured. ALE is an attack's
damage
> multiplied by frequency.
>
> Determining cost-benefit
>
> (R-E) + T = ALE
> R-ALE = ROSI
>
> R = the cost per year to recover from an intrusion
> E = the savings gained by stopping the intrusion
> T = the cost of the intrusion detection tool
> ALE = the Annual Loss Expectancy
> ROSI = Return On Security Investment
That formula appears to reduce to ROSI = E - T, though the units of the
terms
in the equations (dimensional analysis) make me suspicious that the
formula is
incomplete or the definitions of the terms are too loose (R in $/y; E in
$; T
in $, ALE in $/y; ROSI units unclear).
> www.csds.uidaho.edu/director/costbenefit.pdf
That URL does not appear to be working this morning.
--
Jonathan Leffler (jleffler@...ibm.com)
STSM, Informix Database Engineering, IBM Data Management
4100 Bohannon Drive, Menlo Park, CA 94025
Tel: +1 650-926-6921 Tie-Line: 630-6921
"I don't suffer from insanity; I enjoy every minute of it!"
Powered by blists - more mailing lists