I'm interested in this subject as well. If you'd like to collaborate and produce such a document I would love to help.
I see this type of white paper first relating to risk analysis. To relate to costs, a business impact analysis must be done to determine the cost of the affected information. Qualititative or quantitative? I'm a fan of qualitative risk analysis based on the confidentiality, integrity, and availability of information.
You mention potential costs of unavailability and confidentiality. What about the costs of replacing the data, recreating it, or actually using incomplete or incorrect data?
As you mention, to mitigate risk you can reduce, avoid, transfer and ultimately accept. I would never suggest spending $10 to safeguard information only worth $1.
Regards,
Brian
Thought I would post a question here, nessus related -- kinda OT. Would like any appropriate feedback ...If someone is drawing up a vulnerability and "costs of fixing this network" document; am I overlooking associated costs with securing a network using Nessus? 1. Accept the risk costs: (potential) legal, downtime, publicity 2. Use Nessus to figure out the vulnerabilities costs: build nessus box, install + update, policy creation for scans, scan times, scan reviews, vulnerability research, patch research, patch install, administrative red tape
_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
