Comments on: Email from Dr. Lawrence Gordon: Security ROI possible but not optimal, use other metrics http://www.bloginfosec.com/2007/07/18/email-from-dr-lawrence-gordon-security-roi-possible-but-not-optimal-use-other-metrics/ An Information Security Magazine in a Blog Format Mon, 30 Jan 2012 11:01:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Gary Hinson http://www.bloginfosec.com/2007/07/18/email-from-dr-lawrence-gordon-security-roi-possible-but-not-optimal-use-other-metrics/comment-page-1/#comment-106 Gary Hinson Mon, 27 Aug 2007 23:45:49 +0000 http://www.bloginfosec.com/2007/07/18/email-from-dr-lawrence-gordon-security-roi-possible-but-not-optimal-use-other-metrics/#comment-106 Of all the fascinating topics in information security, the ROI (or ROSI) debate seems to ruffle the most feathers, more even than the feasibility of "assessing" risks. Part of the problem, I believe, is the vocabulary and mindset. Most infosec pros are well versed in infosec terms but some get well out of depth when speaking or writing on finances and economics. It reminds me of the misunderstandings that occur when journalists interview scientists: when the latter say that such-and-such "could happen", the former report it as forgone conclusion that such-and-such *will* happen. The issue of 'return' meaning 'profit' to some and 'lower net costs' to others is a classic example. I'm a bit puzzled at your paper on "virtual trust". The concept of security as a business enabler (giving management the confidence to run with business processes that would otherwise be too risky) has been around for ages, and I see no need to give it a shiny new name - or am I missing something? Anyway, thanks for contributing to the debate. We've been discussing ROI on CISSPforum for a couple of weeks, again, and we're still no nearer a genuine consensus. Give it a few months and the living corpse of another undead discussion will return to haunt us. Kind regards, Gary Of all the fascinating topics in information security, the ROI (or ROSI) debate seems to ruffle the most feathers, more even than the feasibility of “assessing” risks.

Part of the problem, I believe, is the vocabulary and mindset. Most infosec pros are well versed in infosec terms but some get well out of depth when speaking or writing on finances and economics. It reminds me of the misunderstandings that occur when journalists interview scientists: when the latter say that such-and-such “could happen”, the former report it as forgone conclusion that such-and-such *will* happen. The issue of ‘return’ meaning ‘profit’ to some and ‘lower net costs’ to others is a classic example.

I’m a bit puzzled at your paper on “virtual trust”. The concept of security as a business enabler (giving management the confidence to run with business processes that would otherwise be too risky) has been around for ages, and I see no need to give it a shiny new name – or am I missing something?

Anyway, thanks for contributing to the debate. We’ve been discussing ROI on CISSPforum for a couple of weeks, again, and we’re still no nearer a genuine consensus. Give it a few months and the living corpse of another undead discussion will return to haunt us.

Kind regards,
Gary

]]> By: Richard Bejtlich http://www.bloginfosec.com/2007/07/18/email-from-dr-lawrence-gordon-security-roi-possible-but-not-optimal-use-other-metrics/comment-page-1/#comment-105 Richard Bejtlich Thu, 09 Aug 2007 03:59:50 +0000 http://www.bloginfosec.com/2007/07/18/email-from-dr-lawrence-gordon-security-roi-possible-but-not-optimal-use-other-metrics/#comment-105 I'm reading the Loeb/Gordon book now, and they define "return" throughout the book as "cost savings" and "avoiding loss." I will have more to say on this when I post my Amazon.com review. I’m reading the Loeb/Gordon book now, and they define “return” throughout the book as “cost savings” and “avoiding loss.” I will have more to say on this when I post my Amazon.com review.

]]> By: Cutaway http://www.bloginfosec.com/2007/07/18/email-from-dr-lawrence-gordon-security-roi-possible-but-not-optimal-use-other-metrics/comment-page-1/#comment-104 Cutaway Mon, 23 Jul 2007 16:27:45 +0000 http://www.bloginfosec.com/2007/07/18/email-from-dr-lawrence-gordon-security-roi-possible-but-not-optimal-use-other-metrics/#comment-104 Don't worry. I <a href="http://www.cutawaysecurity.com/blog/archives/166#comments" rel="nofollow">linked</a> to you as well. :) Go forth and do good things, Cutaway Don’t worry. I linked to you as well. :)

Go forth and do good things,
Cutaway

]]>