I was listening to the end of DtSR Episode 179 when a question was asked: would you (or someone you know) buy a āsecureā router that cost $25 more? That wasnāt the exact question, but that was the gist.
The immediate question I thought in response was the following (which, of course, I tweeted with the #dtsr hashtag): āHow much (more) security do you get for $25? How much (more) do you get for $250,000? And how can non-infosec folks evaluate that?ā
The challenge, of course, is how do you quantify security and the value that security provides. There is definitely no one-size-fits-all answer to this question. It comes down to quantifying the various risk in monetary terms. You know, in terms of single-loss expectancy or annualized loss expectancy.
This assumes you know what assets youāre protecting, have some understanding about the value of those assets, and have some clue about the likelihood of a loss and what impact that might have to the assetās value. Many organizatons Iāve talked to canāt articulate these things, and thatās a problem. You have no idea how much you should spend to protect those assets. You donāt want to spend $1000 to protect a $10 asset, but you might spend $10 to protect a $1000 asset.
And if you think information security professionals have a tough time figuring this stuff out, think about how everyone else approaches the same situation. Is there any wonder there is so much FUD in information security marketing?
Disclaimer: I do work for a vendor: Check Point Software Technologies. These thoughts are my own.