Symantec.com
Partners
About Symantec
cartCart
  CIO Digest Logo  
  Current Issue
 | 
 Back Issues
 | 
 Subscribe
 | 
 Advertise
 | 
 Online Only
 | 
 About
 | 
 Contact

Per Rasmussen, Vice President, TDC Solutions, Online

Macro or Micro? (cont.)

The Economics of Cybersecurity

The emperor's new clothes

While it's important to understand what works from a security valuation standpoint, one expert says it's just as important to understand what doesn't work.

"There's a powerful case that can be made for the economics of cybersecurity, but it's not the ones that are out there-the ones that people have been hearing about," explains Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, an independent research institute based in Norwich, Vermont. "A lot of the economic discussions have been so bad they have discredited the field. . . really bad methods producing really bad metrics."

One of the most common and widely misused methods is one that seeks to figure out the cost of a cyber attack by adding the cost of the lost capacity based on the time the system is down. The problem with this model is that it doesn't take into account all of the outside variables that make up an outage's true cost.

"When people use that method, they will lay out their analysis and conclusions. The business people will say, 'This outage cost me two percent of the [system's] annual capacity?' After hemming and hawing, the IT people will say, 'Yes,'" says Borg. "The business person will say, 'Since the company only utilizes 85 percent of the capacity yearly, the attack didn't cost the company anything.'"

Another mistake that's even more common, says Jay Bavisi, president of the International Council of Electronic Commerce Consultants (EC-Council), a professional and educational group based in New York, is valuing a security purchase the same way one would value any hardware acquisition. "How do you please accountants who want hot numbers on the amount of money they've earned or paid by purchasing equipment or other security expenditures?" asks Bavisi. "How do you attach a value to something that has not happened? How do you support ROI to a board of directors? How do you say, 'Hey guys, we saved US$10 million this year because our network was not breached?'"

You can't, he says, and that's the problem.

<< prev 1 2 3 4 next>>


Article Finder
>




TOP ENTERPRISE LINKS

ENTERPRISE RESOURCES
Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2007 Symantec Corporation