Re: ROSI

[Jonathan Leffler <jleffler () us ibm com>]

"Curt Purdy" <purdy () tecman com> wrote:
> ROSI [...] Annual Loss Expectancy (ALE) was figured. ALE is an attack's 
damage
> multiplied by frequency.
>
> Determining cost-benefit
>
> (R-E) + T = ALE
> R-ALE = ROSI
>
> R = the cost per year to recover from an intrusion
> E = the savings gained by stopping the intrusion
> T = the cost of the intrusion detection tool
> ALE = the Annual Loss Expectancy
> ROSI = Return On Security Investment

That formula appears to reduce to ROSI = E - T, though the units of the 
terms
in the equations (dimensional analysis) make me suspicious that the 
formula is
incomplete or the definitions of the terms are too loose (R in $/y; E in 
$; T
in $, ALE in $/y; ROSI units unclear).

> www.csds.uidaho.edu/director/costbenefit.pdf

That URL does not appear to be working this morning.

--
Jonathan Leffler (jleffler () us ibm com)
STSM, Informix Database Engineering, IBM Data Management
4100 Bohannon Drive, Menlo Park, CA 94025
Tel: +1 650-926-6921   Tie-Line: 630-6921
      "I don't suffer from insanity; I enjoy every minute of it!"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html