Security Incident Cost BS
Sometimes the obvious isn't. Apparently. An organization I'm familiar with recently had a small "virus" outbreak. It wasn't really a virus, but I'll call it that for simplicity. This "virus", though it infected over a score of computers, was largely held at bay due to defense-in-depth. It couldn't communicate with the outside world because of our firewalls and some local policy stuff on the workstations, but it *did* infect them in such a way that McAfee couldn't find them. It took an analysis of firewall logs to track the compromised systems down. All well and good. Nothing new. Now, we have an estimate of how much this incident "cost" the organization. I was peripheral to the cost calculation, but it seemed based on a simple I-CAMP model ( here's a good article on it from 2002 ) where you take the time people put into remediating the issue, and multiply by their wage. Thus, 5 administrators who each put in 10 hours at