( and I have to agree with him)
This article was published in 2008 but I guess it will still make sense in 3008.
Snippets:
Quote "Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context."
Cybersecurity is considerably harder.we're trying to prevent change so quickly that we can't accumulate data fast enough. By the time we get some data, there's a new threat model for which we don't have enough data. So we can't create ALE models.
ALE is not fully useless, but it does mean you should
- Mistrust any analyses that come from people with an agenda and
- Use any results as a general guideline only.
The links below has more details:
https://www.schneier.com/blog/archives/2008/09/security_roi_1.html
No comments:
Post a Comment