tag:blogger.com,1999:blog-4088979.post115517022360744829..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Notes from SC MagazineRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-4088979.post-1155651098425088642006-08-15T10:11:00.000-04:002006-08-15T10:11:00.000-04:00I don't think risk analysis is dead; you do that a...I don't think risk analysis is dead; you do that all day, every day. I think it's just the "R" in ROSI that is dead. Nobody is asking for a return on investment in physical security, either.<BR/><BR/>I don't buy the "security as insurance" either. Insurance is what you buy to decrease your losses when your prevention fails. I think the best you can do is to lay out your risk analysis, do a performance-based budget, and show your predictable spending vs. your unpredictable spending. It's not exactly parallel with physical security, because you have to spend a lot more time on business-enabling development and testing. It's a weird mix of physical security and regular IT issues.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1155217605418067052006-08-10T09:46:00.000-04:002006-08-10T09:46:00.000-04:00In regards to the lack of real ROSI, does this als...In regards to the lack of real ROSI, does this also mean that risk analysis is also going to be a dying art? I guess to me, the hard part of figuring out ROSI would be putting a value on threats, vulnerabilities, etc. The cost of countermeasures is not hard to value (cost of equipment, maintenance, etc). Is that a similar track, or did I skip lanes a bit?<BR/><BR/>On a separate note, we've had people robbing homes for hundreds, thousands of years. You'd think we'd have solved this problem and made homes impenetrable. Well, sure, with enough money and controls.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.com