Posted by:
admin
15 years, 10 months ago
It has occurred to me that you could develop an interesting incentive program for an information security team, assuming that you believe a couple of data points (or can come up with your own) and your primary concern is a data breach. In my opinion, security people are all too often incented only to maintain security - not to optimize the investment in security. Interests need to be aligned.
First, assume that you believe, as discussed in Gordon & Loeb's book Managing Cybersecurity Resources: A Cost-Benefit Analysis and discussed here that an organization should spend no more than 37% of their expected loss on information security. Second, assume that you agree with the Ponemon Institute on the cost of business data breaches: $182 per record. Then, as I have pointed out, you have enough info to figure out what your info sec budget should be, or at least it's cap.
So, let's set up a very simplistic model:
- The bonus pool is funded by the difference between the actual security budget and the $67.34 per record cap. If this cap doesn't work for you, then you can do more research or negotiate a cap.
- Since you want the investments in security to assure security over time, you pool and smooth the payouts. So the company might "pre-fund" the pool with the current combined team bonus amount. Each quarter (for example) the budget difference is added to the pool.
- Come bonus time, you take a rolling average of the pool and pay it out to the team. Smoothing the payout keeps the focus on the long run and creates a strong retention plan.
- The team manager can distribute the pool based on the existing bonus system or develop a balanced-scorecard approach.
- Here's the kicker: If there is a breach, the costs come out of the bonus pool first. This would be a bummer, but it would also give you first hand data for budgeting ;).
Would it be easily game-able? It seems to me, only in the initial determination of the caps. You should also subtract a charge for the assets deployed. So you would have to figure out what assets are in fact security assets and not network assets. You could also put the network team in the mix and have a penalty for downtime too.
So there it is, just a simple, starting point proposal. Comments welcome!
.Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)