Posted by:
admin
15 years, 11 months ago
I was fixing to post on some of the ROI posts floating around, with my usual usual dainty prose. But Anton Chuvakin did a much better job than I could - though it appears he has a ringer on his team.
My favorite quote:
The phrase "return in the form of savings," that I saw on some blog, caused my "in-house economist" to utter a completely unprintable word and then follow up with: "what an idiot! it is either return or savings!"
His close is a bit weak, though:
At the same time, I think this debate will be resolved thus: there is rate of return (definition from economics) and there is "ROI/rate of return" (hijacked definition that developed its own life and started to mean simply "usefulness" or "value proposition") There is "ROI" of security and there is no ROI of security...
You can analyze/estimate the value of a security investment. One way to effectively separate out different security investments possibilities and to create scenarios from them. I did a simple comparison of a vpn with and without two-factor authentication. The savings comes from the overall project, then I subtract and AALE from the savings. You could do different scenarios to see which security investment was "optimal".
Estimating AALE might be problematic, but the exercise would still be beneficial.
ROI is a crappy measure because it does not include an interest rate. While estimating AALE might be difficult, getting your company's weighted-average cost of capital is very simple. (Hint: ask your CFO.)
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)