Security Incident Cost BS
Sometimes the obvious isn't. Apparently.
An organization I'm familiar with recently had a small "virus" outbreak. It wasn't really a virus, but I'll call it that for simplicity. This "virus", though it infected over a score of computers, was largely held at bay due to defense-in-depth. It couldn't communicate with the outside world because of our firewalls and some local policy stuff on the workstations, but it *did* infect them in such a way that McAfee couldn't find them. It took an analysis of firewall logs to track the compromised systems down.
All well and good. Nothing new.
Now, we have an estimate of how much this incident "cost" the organization. I was peripheral to the cost calculation, but it seemed based on a simple I-CAMP model (here's a good article on it from 2002) where you take the time people put into remediating the issue, and multiply by their wage. Thus, 5 administrators who each put in 10 hours at $50/hour would show a cost of (# of administrators) X (# of hours) X (hourly wage) or 5 X 10 * $50 = $2500.
(Yes, I know, very simplified as each administrator was receiving the same pay...I'm lazy, what can I say).
Now, David in the article above goes to great length to defend this formula (granted it was in 2002, so he may have recanted...I don't know) and even goes beyond it to state how hard it is to calculate losses such as reputation, revenue and insurance deductables.
Hello? Sounds like a good use for this.
Do any of these people actually have jobs? I've been involved in countless insidents, and you know what? I've rarely received an unbudgeted dime for my involvement, and yet I know that I am *always* calculated into the "cost" of the incident.
When I was at (insert telecom company here), we had the Code Red outbreak, and my hours were figured into the cost. Guess what? I was doing my job. Oh, and those things that didn't get done because I was working on Code Red? Oh, THERE WEREN'T ANY, because I still had to get them done. Thank heavens I got paid overti....oh, yeah I didn't. I just had to do my flogging job.
And somehow this was wrapped into an incident cost. Was it used to justify more headcount (which would have made sense and turned it into a real cost)? Nope. Just a great number to flash around.
Now, I'm not a Kevin Mitnick fan (nor am I a detractor...I just don't give much of a rip) but for all of the "losses" his exploits caused there was a great similarity to the "losses" we had sustained from Code Red.
Not a single SEC filing showing actual loss.
Don't get me started on "losses" regarding governmental incidents. Governments (local, state, federal, etc) have captive audiences, so they aren't worried about "revenue loss". When they can show me costs associated with unbudgeted items (snowplow rental, contract employees, or overtime paid to employees) associated with an incident, then I'll believe them.
Otherwise, it's just a bunch of people working a little harder at their jobs.
An organization I'm familiar with recently had a small "virus" outbreak. It wasn't really a virus, but I'll call it that for simplicity. This "virus", though it infected over a score of computers, was largely held at bay due to defense-in-depth. It couldn't communicate with the outside world because of our firewalls and some local policy stuff on the workstations, but it *did* infect them in such a way that McAfee couldn't find them. It took an analysis of firewall logs to track the compromised systems down.
All well and good. Nothing new.
Now, we have an estimate of how much this incident "cost" the organization. I was peripheral to the cost calculation, but it seemed based on a simple I-CAMP model (here's a good article on it from 2002) where you take the time people put into remediating the issue, and multiply by their wage. Thus, 5 administrators who each put in 10 hours at $50/hour would show a cost of (# of administrators) X (# of hours) X (hourly wage) or 5 X 10 * $50 = $2500.
(Yes, I know, very simplified as each administrator was receiving the same pay...I'm lazy, what can I say).
Now, David in the article above goes to great length to defend this formula (granted it was in 2002, so he may have recanted...I don't know) and even goes beyond it to state how hard it is to calculate losses such as reputation, revenue and insurance deductables.
Hello? Sounds like a good use for this.
Do any of these people actually have jobs? I've been involved in countless insidents, and you know what? I've rarely received an unbudgeted dime for my involvement, and yet I know that I am *always* calculated into the "cost" of the incident.
When I was at (insert telecom company here), we had the Code Red outbreak, and my hours were figured into the cost. Guess what? I was doing my job. Oh, and those things that didn't get done because I was working on Code Red? Oh, THERE WEREN'T ANY, because I still had to get them done. Thank heavens I got paid overti....oh, yeah I didn't. I just had to do my flogging job.
And somehow this was wrapped into an incident cost. Was it used to justify more headcount (which would have made sense and turned it into a real cost)? Nope. Just a great number to flash around.
Now, I'm not a Kevin Mitnick fan (nor am I a detractor...I just don't give much of a rip) but for all of the "losses" his exploits caused there was a great similarity to the "losses" we had sustained from Code Red.
Not a single SEC filing showing actual loss.
Don't get me started on "losses" regarding governmental incidents. Governments (local, state, federal, etc) have captive audiences, so they aren't worried about "revenue loss". When they can show me costs associated with unbudgeted items (snowplow rental, contract employees, or overtime paid to employees) associated with an incident, then I'll believe them.
Otherwise, it's just a bunch of people working a little harder at their jobs.
Comments