Comments on: ROSI: Security Returns? http://www.bloginfosec.com/2008/03/10/rosi-security-returns/ An Information Security Magazine in a Blog Format Mon, 30 Jan 2012 11:01:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Alex http://www.bloginfosec.com/2008/03/10/rosi-security-returns/comment-page-1/#comment-279 Alex Wed, 12 Mar 2008 20:13:02 +0000 http://www.bloginfosec.com/2008/03/10/rosi-security-returns/#comment-279 @David Gutiérrez There was recently a thread on the securitymetrics mailing list where some companies were refuting that exact assertion. This is also why I'm betting Warren links to the Hubbard book, it's an excellent read on the subj. @David Gutiérrez

There was recently a thread on the securitymetrics mailing list where some companies were refuting that exact assertion. This is also why I’m betting Warren links to the Hubbard book, it’s an excellent read on the subj.

]]> By: David Gutiérrez http://www.bloginfosec.com/2008/03/10/rosi-security-returns/comment-page-1/#comment-250 David Gutiérrez Wed, 12 Mar 2008 00:09:54 +0000 http://www.bloginfosec.com/2008/03/10/rosi-security-returns/#comment-250 i'm sorry to say, but I have yet to see one of that so called "workable estimates of the magnitude and probability of losses and then calculate an expected loss number as the product of estimates of the size of loss and probability of occurrence" that today are nonexistant or useless; note that I'm not saying that we don't need them, but they're not at the maturity level we need. Perhaps we should invest more time into developing the models we will use to start collecting useful data which, in a few years, will help us to do all this work. i’m sorry to say, but I have yet to see one of that so called “workable estimates of the magnitude and probability of losses and then calculate an expected loss number as the product of estimates of the size of loss and probability of occurrence” that today are nonexistant or useless; note that I’m not saying that we don’t need them, but they’re not at the maturity level we need. Perhaps we should invest more time into developing the models we will use to start collecting useful data which, in a few years, will help us to do all this work.

]]> By: stacy http://www.bloginfosec.com/2008/03/10/rosi-security-returns/comment-page-1/#comment-231 stacy Tue, 11 Mar 2008 17:30:59 +0000 http://www.bloginfosec.com/2008/03/10/rosi-security-returns/#comment-231 While I agree with pretty much everything in your article, I would still argue against ROI simply because it is the wrong term. I prefer the term Cost/Benefit, the same factors go into calculating it; you just avoid arguing over whether or not there is any "return". While I agree with pretty much everything in your article, I would still argue against ROI simply because it is the wrong term. I prefer the term Cost/Benefit, the same factors go into calculating it; you just avoid arguing over whether or not there is any “return”.

]]> By: Warren Axelrod of Bloginfosec.com “Gets it” | RiskAnalys.is http://www.bloginfosec.com/2008/03/10/rosi-security-returns/comment-page-1/#comment-225 Warren Axelrod of Bloginfosec.com “Gets it” | RiskAnalys.is Tue, 11 Mar 2008 15:12:48 +0000 http://www.bloginfosec.com/2008/03/10/rosi-security-returns/#comment-225 [...] Link to what he writes here. [...] [...] Link to what he writes here. [...]

]]> By: Alex http://www.bloginfosec.com/2008/03/10/rosi-security-returns/comment-page-1/#comment-187 Alex Mon, 10 Mar 2008 16:01:19 +0000 http://www.bloginfosec.com/2008/03/10/rosi-security-returns/#comment-187 Excellent lead article, Warren! If this is indicative of the quality we can expect here, then I'm all for the new venture. RE: "it is not possible to measure the probability or the magnitude of infrequent but very damaging security events." Interestingly enough, Protiviti (I'm not affiliated) just released a report that does just that. On page 3 of their "Flash Report" on the Societe Generale - they offer the following: "The frequency and magnitude of the losses listed in the chart on page 2 implies that a loss of more than US$1 billion is occurring approximately every 18 months. And of these 11 incidents that each exceed $1 billion in trading losses, more than half (six) have been attributed to a “rogue trader.” I'm very glad to see that you linked to Hubbard, btw. Excellent lead article, Warren! If this is indicative of the quality we can expect here, then I’m all for the new venture.

RE: “it is not possible to measure the probability or the magnitude of infrequent but very damaging security events.”

Interestingly enough, Protiviti (I’m not affiliated) just released a report that does just that. On page 3 of their “Flash Report” on the Societe Generale – they offer the following:

“The frequency and magnitude of the losses listed in the chart on page 2 implies that a loss of more than US$1 billion is occurring approximately every 18 months. And of these 11 incidents that each exceed $1 billion in trading losses, more than half (six) have been attributed to a “rogue trader.”

I’m very glad to see that you linked to Hubbard, btw.

]]>