Sunday, November 23, 2008

Reading on Justifying Security Operations

My post Managing Security in Economic Downturns mentioned wrapping everything in metrics to justify your security operation. I decided to peruse the past proceedings of the Workshop on the Economics of Information Security for ideas.

I was mostly interested in works explaining how to show value derived from security operations. (Remember value is mainly or exclusively cost avoidance.) I am really interested in knowing how much it costs to maintain and defend an information infrastructure vs what it costs to exploit it. I found the following to be previous work in related areas.

You may also remember my review of Managing Cyber-Security Resources: A Cost-Benefit Analysis. It is good background reading.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

No comments: