[Full-Disclosure] Re: ROSI
From: Jonathan Leffler (jleffler_at_us.ibm.com)
To: firstname.lastname@example.org Date: Thu, 8 Apr 2004 10:16:25 -0700
"Curt Purdy" <email@example.com> wrote:
> ROSI [...] Annual Loss Expectancy (ALE) was figured. ALE is an attack's
> multiplied by frequency.
> Determining cost-benefit
> (R-E) + T = ALE
> R-ALE = ROSI
> R = the cost per year to recover from an intrusion
> E = the savings gained by stopping the intrusion
> T = the cost of the intrusion detection tool
> ALE = the Annual Loss Expectancy
> ROSI = Return On Security Investment
That formula appears to reduce to ROSI = E - T, though the units of the
in the equations (dimensional analysis) make me suspicious that the
incomplete or the definitions of the terms are too loose (R in $/y; E in
in $, ALE in $/y; ROSI units unclear).
That URL does not appear to be working this morning.
-- Jonathan Leffler (firstname.lastname@example.org) STSM, Informix Database Engineering, IBM Data Management 4100 Bohannon Drive, Menlo Park, CA 94025 Tel: +1 650-926-6921 Tie-Line: 630-6921 "I don't suffer from insanity; I enjoy every minute of it!" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html