Re: Is IDS/IPS worthless?

[Stefano Zanero <stefano.zanero () ieee org>]

Mike Lyman wrote:

> On Fri, 2004-02-20 at 10:31, Andrew Plato wrote:
>
> > So this speaker then challenged me to come up with verifiable metrics. I
> > replied that he would have to define what metrics he wants? What does he
> > consider a "viable metric" for performance.  He said "did they sell more
> > products, make more money?"  I replied "why is that the only metric that
>
> Standard security ROI question when security doesn't have an ROI unless
> you're selling security. Do locks on the doors help you sell more
> product (unless you sell locks) or sprinkler heads in the ceilings help
> you make more money? 

Right. Security investment can be managed and evaluated with the same 
approach as business insurances. Does an insurance produce ROI ? No, it 
doesn't, but it lowers the risk to that ROI.

Would you prefer a return of 500$ with a risk of, say, 10%, or a return 
of 5000$ with a 90% risk of becoming 0 ? It probably depends on your 
investment and your conditions.

These are the questions that managers ask themselves when evaluating, 
for instance, wether they can afford insurance against theft, or they 
are willing to throw the money to phisical security, or both, or if they 
are more willing to cover the eventual cost of theft itself instead.

Whenever anyone talks about ROI in security investment, you should raise 
an eyebrow (Gartner reports, anyone ?).

--
Cordialmente,
Stefano Zanero


---------------------------------------------------------------------------
---------------------------------------------------------------------------