I was listening to the end of DtSR Episode 179 when a question was asked: would you (or someone you know) buy a “secure” router that cost $25 more? That wasn’t the exact question, but that was the gist.
The immediate question I thought in response was the following (which, of course, I tweeted with the #dtsr hashtag): “How much (more) security do you get for $25? How much (more) do you get for $250,000? And how can non-infosec folks evaluate that?”
The challenge, of course, is how do you quantify security and the value that security provides. There is definitely no one-size-fits-all answer to this question. It comes down to quantifying the various risk in monetary terms. You know, in terms of single-loss expectancy or annualized loss expectancy.
This assumes you know what assets you’re protecting, have some understanding about the value of those assets, and have some clue about the likelihood of a loss and what impact that might have to the asset’s value. Many organizatons I’ve talked to can’t articulate these things, and that’s a problem. You have no idea how much you should spend to protect those assets. You don’t want to spend $1000 to protect a $10 asset, but you might spend $10 to protect a $1000 asset.
And if you think information security professionals have a tough time figuring this stuff out, think about how everyone else approaches the same situation. Is there any wonder there is so much FUD in information security marketing?
Disclaimer: I do work for a vendor: Check Point Software Technologies. These thoughts are my own.