Security: At What Cost?

Reading time ~1 minute

I was listening to the end of DtSR Episode 179 when a question was asked: would you (or someone you know) buy a “secure” router that cost $25 more? That wasn’t the exact question, but that was the gist.

The immediate question I thought in response was the following (which, of course, I tweeted with the #dtsr hashtag): “How much (more) security do you get for $25? How much (more) do you get for $250,000? And how can non-infosec folks evaluate that?”

The challenge, of course, is how do you quantify security and the value that security provides. There is definitely no one-size-fits-all answer to this question. It comes down to quantifying the various risk in monetary terms. You know, in terms of single-loss expectancy or annualized loss expectancy.

This assumes you know what assets you’re protecting, have some understanding about the value of those assets, and have some clue about the likelihood of a loss and what impact that might have to the asset’s value. Many organizatons I’ve talked to can’t articulate these things, and that’s a problem. You have no idea how much you should spend to protect those assets. You don’t want to spend $1000 to protect a $10 asset, but you might spend $10 to protect a $1000 asset.

And if you think information security professionals have a tough time figuring this stuff out, think about how everyone else approaches the same situation. Is there any wonder there is so much FUD in information security marketing?

Disclaimer: I do work for a vendor: Check Point Software Technologies. These thoughts are my own.

Ye Olde PhoneBoy FireWall-1 FAQ is Back…In A Manner of Speaking

Many of you probably remember the Check Point FireWall-1 FAQ I ran for many years. Many have told me it was their “go-to” source of infor...… Continue reading

How Long is Long Enough for a Password?

Published on February 27, 2017

Cloudflares with a Chance of Goatse

Published on February 24, 2017