Educause Security Discussion mailing list archives
Re: Breach Impact Calculator
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 5 May 2006 09:31:52 -0400
Graham Toal wrote:
SearchSecurity.com has an interesting privacy impact calculator they posted online. You can punch some numbers in and get an estimate for how much it will cost your organization to recover from a breach: http://tinyurl.com/z67vcI don't even have to run it to know that it will give a huge number for even the smallest breach. All of these cost calculators (cost of spam, cost of virtualization, etc) err on the high side by a couple of orders of magnitude to make some expensive thing seem worthwhile (anti-spam appliance, vmware server, hiring a security consultant...) Everyone has an interest it making security breaches seem expensive. It brings more money to your department if you do it. The classic case was the AT&T E911 document which they sold for $13 that was reported as being worth $80K. (Which is about the right rate of markup for any of these calculators - take the answer and divide by 6000 :-) )
I think the problem is a line of reasoning such as: 1. SPAM email can contain malicious content or links. 2. Malicious content or links can compromise a desktop computer. 3. The desktop computer may be operated by someone with access to sensitive customer data. 4. Exposure of sensitive customer data can cost $$$$. 5. Therefore, SPAM may result in loss of $$$$. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Breach Impact Calculator Mark Rogowski (May 04)
- <Possible follow-ups>
- Re: Breach Impact Calculator Graham Toal (May 04)
- Re: Breach Impact Calculator Gary Flynn (May 05)