- FBI warns Hit Man e-mail scammer back
- 20 tech habits to improve your life
- Industry mourns slain Cisco exec
- 10 Firefox add-ons for better browsing
- Wireless LANs face scaling challenges
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
In my two latest columns, I have been reviewing the book _Managing Cyber-Security Resources: A Cost-Benefit Analysis_ by Lawrence A. Gordon & Martin P. Loeb. Today I’ll continue with a couple more of the chapters in this excellent resource for IA managers.
Chapter 2, entitled "A Cost-Benefit Framework for Cybersecurity," begins with clarification of the distinction between operating costs and capital investments - a touchy subject for a countenance because, as the authors point out, our rapidly changing technical and threat environments mean that much of what we buy has to be replaced relatively quickly.
From some standpoints, it would make much more sense to regard IA expenditures as operating expenses. The authors write, "the fact that corporate balance sheets usually do not explicitly report cyber security investments, even though such investments are critical assets for organizations operating in the digital economy, supports the observation that firms generally expense cyber security investments." They add, "Indeed, a good way to view all costs related to cybersecurity activities is to think of them as capital investments with varying time horizons."
Next, the authors define the principles of cost-benefit analysis; in essence, "the organization should keep increasing its security activities as long as the incremental benefits from increases in such activities exceed the incremental cost of those activities."
They then discuss the net present value (NPV) model, which takes into account the costs of investments over time (e.g., the costs of financing and lost investment opportunities) and values such as loss avoidance and the incremental gains associated with those benefits - all expressed in constant currency values. They explain the internal rate of return (IRR) and return on investment (ROI) and then provide detailed scenarios and calculations to help readers get used to these quantitative concepts.
Chapter 3, "The Costs and Benefits Related to Cybersecurity Breaches," explores how managers can classify and evaluate direct and indirect costs as well as explicit and implicit costs.
These two dimensions are orthogonal (independent). Direct costs can be traced to specific security incidents, whereas indirect costs include IA overhead such as firewalls and other security devices or personnel costs for IA teams. Explicit costs are those tied specifically to IA; implicit costs include consequential damages such as opportunity costs.

Aging network systems and old habits have dictated how businesses spend their IT budgets. As a...
Implementing HA at the Enterprise Data Center Edge to Connect to a Large Number of Branch OfficesThis paper reviews the problem of creating a network where the dynamic availability of services is...
Enterprise Data Center Network Reference ArchitectureUsing a High Performance Network Backbone to Meet the Requirements of the Modern Enterprise Data...

The standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...
Harnessing the power of communications to increase workplace performanceDue to the convergence of IT and telecommunications technologies, the business workplace has been...
Stay out of the headlines: Detecting and preventing network intrusionsHow do YOU stay out of the headlines? There is no denying that risk exists in our computer-driven...

We have so many holes punched in our firewalls today that many industry insiders question the value...
IP address management in 2008 - six things to knowRead this Network World Special Brief to learn how Enterprise IT managers must update their...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.
Download the white paper.
Unauthorized applications: Taking back control
Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?
Download the white paper.
Comment