Obviously, security here is defined here as attack and damage caused by it, security by IDS. Might be nice, but I can't see much use, since calculating R as recovery costs, and E savings gained by stopping does not take into account that Intrusions differ in impact, which can increase over time by growing dependency on infrastructure. This can only be based on figures of own organisation, so it supposes that intrusions are stopped, and cost can be calculated. This is very rare. Savings are hard to calculate, since it is usually impossible what the damage 'would have been', since there is no known mathematical model to calculate an average cost of things that did not happen. T = even stranger, since IDS detect some but rarely stop many intrusions. Let alone that intrusions are only a small part of security incidents.... Stopping attacks seen by an IDS usually means that people react. And how do you calculate the cost of an attack against an IDS that can stop an attack, i.e. close connections etc?
Putting these together the concept ALE is probably as useless as drinking the stuff on the M25 on boxing day. If my customers would be gullible enough to swallow this, I'd make a fortune.... anyway, maybe it is because i did not read the PDF.... page could not be found. But I sincerely doubt it. ----- Original Message ----- From: "Jonathan Leffler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 08, 2004 7:16 PM Subject: [Full-Disclosure] Re: ROSI > "Curt Purdy" <[EMAIL PROTECTED]> wrote: > > ROSI [...] Annual Loss Expectancy (ALE) was figured. ALE is an attack's > damage > > multiplied by frequency. > > > > Determining cost-benefit > > > > (R-E) + T = ALE > > R-ALE = ROSI > > > > R = the cost per year to recover from an intrusion > > E = the savings gained by stopping the intrusion > > T = the cost of the intrusion detection tool > > ALE = the Annual Loss Expectancy > > ROSI = Return On Security Investment > > That formula appears to reduce to ROSI = E - T, though the units of the > terms > in the equations (dimensional analysis) make me suspicious that the > formula is > incomplete or the definitions of the terms are too loose (R in $/y; E in > $; T > in $, ALE in $/y; ROSI units unclear). > > > www.csds.uidaho.edu/director/costbenefit.pdf > > That URL does not appear to be working this morning. > > -- > Jonathan Leffler ([EMAIL PROTECTED]) > STSM, Informix Database Engineering, IBM Data Management > 4100 Bohannon Drive, Menlo Park, CA 94025 > Tel: +1 650-926-6921 Tie-Line: 630-6921 > "I don't suffer from insanity; I enjoy every minute of it!" > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
