[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <001b01c41d9a$9b693930$0100000a@MOTHER>
From: yossarian at planet.nl (yossarian)
Subject: Re: ROSI
Obviously, security here is defined here as attack and damage caused by it,
security by IDS. Might be nice, but I can't see much use, since calculating
R as recovery costs, and E savings gained by stopping does not take into
account that
Intrusions differ in impact, which can increase over time by growing
dependency on infrastructure. This can only be based on figures of own
organisation, so it supposes that intrusions are stopped, and cost can be
calculated. This is very rare.
Savings are hard to calculate, since it is usually impossible what the
damage 'would have been', since there is no known mathematical model to
calculate an average cost of things that did not happen.
T = even stranger, since IDS detect some but rarely stop many intrusions.
Let alone that intrusions are only a small part of security incidents....
Stopping attacks seen by an IDS usually means that people react. And how do
you calculate the cost of an attack against an IDS that can stop an attack,
i.e. close connections etc?
Putting these together the concept ALE is probably as useless as drinking
the stuff on the M25 on boxing day. If my customers would be gullible enough
to swallow this, I'd make a fortune....
anyway, maybe it is because i did not read the PDF.... page could not be
found. But I sincerely doubt it.
----- Original Message -----
From: "Jonathan Leffler" <jleffler@...ibm.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Thursday, April 08, 2004 7:16 PM
Subject: [Full-Disclosure] Re: ROSI
> "Curt Purdy" <purdy@...man.com> wrote:
> > ROSI [...] Annual Loss Expectancy (ALE) was figured. ALE is an attack's
> damage
> > multiplied by frequency.
> >
> > Determining cost-benefit
> >
> > (R-E) + T = ALE
> > R-ALE = ROSI
> >
> > R = the cost per year to recover from an intrusion
> > E = the savings gained by stopping the intrusion
> > T = the cost of the intrusion detection tool
> > ALE = the Annual Loss Expectancy
> > ROSI = Return On Security Investment
>
> That formula appears to reduce to ROSI = E - T, though the units of the
> terms
> in the equations (dimensional analysis) make me suspicious that the
> formula is
> incomplete or the definitions of the terms are too loose (R in $/y; E in
> $; T
> in $, ALE in $/y; ROSI units unclear).
>
> > www.csds.uidaho.edu/director/costbenefit.pdf
>
> That URL does not appear to be working this morning.
>
> --
> Jonathan Leffler (jleffler@...ibm.com)
> STSM, Informix Database Engineering, IBM Data Management
> 4100 Bohannon Drive, Menlo Park, CA 94025
> Tel: +1 650-926-6921 Tie-Line: 630-6921
> "I don't suffer from insanity; I enjoy every minute of it!"
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists