Access "Return on security investment: The risky business of probability"
This article is part of the December 2013 Vol. 15 / No. 10 issue of 2013 Security 7 award winners revealed
As most of us know, return on security investment is basically the amount of risk reduced, less the amount spent, divided by the amount spent on controls. Net amount of risk per amount of control is the essential formula for any "return on" ratio -- return on investment, equity, assets and so on. (It isn't like this stuff is just made up; there's history and an interest in consistency here.) The challenge for technology risk management professionals is really a gut check: Are we really, truly reducing risk by the amount we are spending on security? As I noted in my November column, first, realize that you are making that assertion every time you allocate resources to some function. So take a step back and verify that the costs of your recent actions -- salaries, operating expenses, capital investments -- meet these criteria. But breakeven is never good enough, and we really haven't gotten to the bottom of the individual values of probability and impact (the elements of risk). It's useful -- perhaps even crucial -- to have an objective understanding of these ... Access >>>
Premium Content for Free.
Beyond the Page: Breach detection systems
by John Pirc
In the December 2013 Beyond the Page, John Pirc explains why breach detection systems are an essential security tool in a malware-infested world.
Banking on intelligence-driven security
by Jason Witty
Security 7 Award winner Jason Witty discusses how rapid change requires a disciplined, collaborative approach to information security.
Analytics and the insider threat: Privileged users and patterns of deception
by Timothy Rogers
Security professionals should analyze metrics to learn baseline behavioral patterns of their employees and identify anomalous behaviors.
Secure all the (Internet of) Things
by Angela Orebaugh
Despite the promise of the Internet of Things, history will repeat itself unless we take action.
Feature: Enhanced threat detection: The next (front) tier in security
by John Pirc
When conventional security falls short, breach detection systems and other tier-two technologies can bolster your network’s defenses.
- Beyond the Page: Breach detection systems by John Pirc
Wi-Fi connectivity puts pressure on medical device security
by Ali Youssef
Health system's certification program mitigates the risks associated with wireless medical devices.
A full-service model for SIEM
by George Do
The industry needs to recognize the value that full service "SIEM in the cloud" would bring to organizations.
From ABCs to BYOD
by Philip Scrivano
Security 7 Award winner Phil Scrivano heads a BYOD program for the 17 public schools in Los Angeles County, securing network access from kindergarten on up.
Get back to basics for improved network security
by Nick Duda
If your post-mortem meetings are anything like mine, forget the bells and whistles and revisit security best practices.
- Wi-Fi connectivity puts pressure on medical device security by Ali Youssef
Congratulating the 2013 Security 7 Award winners
by Kathleen Richards, features editor
We honor leading information security professionals in seven vertical industries and applaud their achievements in our annual awards issue.
Return on security investment: The risky business of probability
by Pete Lindstrom, Contributor
You are better off with real numbers when it comes to measuring probability and the elements of security risk, even if they are wrong.
- Congratulating the 2013 Security 7 Award winners by Kathleen Richards, features editor
More Premium Content Accessible For Free
Strategies for a successful data protection program
Deploying data protection technologies properly requires a lot of time and patience. While most firms can get started by using preconfigured policies...
Devices, data and how enterprise mobile management reconciles the two
The bring your own device (BYOD) movement, which has flooded the enterprise with employee-owned smartphones, tablets, phablets and purse-sized ...
Putting security on auto-pilot: What works, what doesn't
For so long penetration testing meant hiring an expert to use skill and savvy to try to infiltrate the company system. But, as with most ...