Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: ROSI

From: yossarian <yossarian () planet nl>
Date: Thu, 08 Apr 2004 20:52:06 +0200
Obviously, security here is defined here as attack and damage caused by it,
security by IDS. Might be nice, but I can't see much use, since calculating
R as recovery costs, and E savings gained by stopping does not take into
account that
Intrusions differ in impact, which can increase over time by growing
dependency on infrastructure. This can only be based on figures of own
organisation, so it supposes that intrusions are stopped, and cost can be
calculated. This is very rare.
Savings are hard to calculate, since it is usually impossible what the
damage 'would have been', since there is no known mathematical model to
calculate an average cost of things that did not happen.
T = even stranger, since IDS detect some but rarely stop many intrusions.
Let alone that intrusions are only a small part of security incidents....
Stopping attacks seen by an IDS usually means that people react. And how do
you calculate the cost of an attack against an IDS that can stop an attack,
i.e. close connections etc?

Putting these together the concept ALE is probably as useless as drinking
the stuff on the M25 on boxing day. If my customers would be gullible enough
to swallow this, I'd make a fortune....

anyway, maybe it is because i did not read the PDF.... page could not be
found. But I sincerely doubt it.
----- Original Message -----
From: "Jonathan Leffler" <jleffler () us ibm com>
To: <full-disclosure () lists netsys com>
Sent: Thursday, April 08, 2004 7:16 PM
Subject: [Full-disclosure] Re: ROSI



"Curt Purdy" <purdy () tecman com> wrote:

ROSI [...] Annual Loss Expectancy (ALE) was figured. ALE is an attack's

damage

multiplied by frequency.

Determining cost-benefit

(R-E) + T = ALE
R-ALE = ROSI

R = the cost per year to recover from an intrusion
E = the savings gained by stopping the intrusion
T = the cost of the intrusion detection tool
ALE = the Annual Loss Expectancy
ROSI = Return On Security Investment


That formula appears to reduce to ROSI = E - T, though the units of the
terms
in the equations (dimensional analysis) make me suspicious that the
formula is
incomplete or the definitions of the terms are too loose (R in $/y; E in
$; T
in $, ALE in $/y; ROSI units unclear).


www.csds.uidaho.edu/director/costbenefit.pdf


That URL does not appear to be working this morning.

--
Jonathan Leffler (jleffler () us ibm com)
STSM, Informix Database Engineering, IBM Data Management
4100 Bohannon Drive, Menlo Park, CA 94025
Tel: +1 650-926-6921   Tie-Line: 630-6921
      "I don't suffer from insanity; I enjoy every minute of it!"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: