- Microsoft lays out SQL Server road map
- Credit card skimming
- Nortel's stock market capitalization plummets
- The Obama campaign's Search Engine to Nowhere
- Will Apple be forced to make more money?
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
In my courses on the management of information assurance (IA) I make a point of telling my students that as managers, we should always be prepared to answer the following two questions from upper management about our proposed budgets for IA:
1. Why do we need to spend _so much money_ on IA?
2. If IA is so important to us, why aren’t you asking for _more_ money than this?
These questions focus on the idea that it should be possible to decide on optimal security expenditures for a specific organization using reason.
I want to be sure that readers are aware of a great divide in the world of security management: a battle between extreme proponents of quantitative risk-management methodologies and those who insist that only qualitative methods have any validity. Personally, I like using both approaches and will discuss my position in an upcoming newsletter.
In my last column, I began reviewing the book _Managing Cyber-Security Resources: A Cost-Benefit Analysis_ by Lawrence A. Gordon & Martin P. Loeb. Gordon and Loeb began their text with a well-written review of the importance of IA in their introductory chapter. They review the evolution of management structures, the growing acceptance of security standards, and the rise of organizations supporting IA.
Most important, they directly confront a fundamental difficulty faced by those proposing quantitative risk management for security-related decisions: the argument that such quantitative methods are based on an incomplete and necessarily faulty base of numerical information about the costs and probabilities of security incidents.
They warn that basing economic decisions about IA solely on best practices cannot guarantee that these spending levels are optimized. As they write, "if all firms take this approach, all firms may be either overspending for security or leaving themselves open to unnecessary risks... Herd behavior may feel good and have some merit, but it is no substitute for carefully conducted analysis." The authors argue that both methodologies have their place.
The authors throw down the gauntlet to extreme supporters of qualitative risk analysis and management (those who deny any role to quantitative methods): "an important goal of this book is to debunk the five cybersecurity myths listed here[:]
M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.

Ever since there have been stocks and shares there have been so called "pump 'n' dump" scams. This...
Spyware: Know Your EnemyLike Macavity, the fictional feline in T. S. Eliot's well-known poem, spyware may be considered to...
The Online Shadow Economy: A Billion Dollar Market For Malware AuthorsMalware, meaning computer viruses, trojans and spyware, is about money. The teenagers who wrote...

Microsoft SQL Server has enjoyed phenomenal success as a database server. Its relatively low cost,...
Minimizing the Risk of Information Security Breaches: Best Practices for SOA Governance and Compliance - Live October 21Today's enterprises face more information security risks and vulnerabilities than ever before....
Migrating to Windows Vista: Necessity and OpportunityThe Vista era of Windows is here. Yet most organizations will retain Windows XP alongside new Vista...

Discover why Unified Threat Management Firewalls are ready for the enterprise today. High...
The Evolution of Network SecurityWe have so many holes punched in our firewalls today that many industry insiders question the value...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment