AW: Security policy and risk analysis questions

[Peter.Kunz () sega ch]

> Another, thing I've done is looked at the Business Resumption Plan (BRP) 
> budget and used that amount to justify increased spending (assumes BRP 
> spending is higher).  For example, say for BRP your company's assets are 
> worth 1 million.  And let's say the probability of a tornado, fire, etc. 
> destroying your data center is .001 for any given year.  Therefore, the 
> annual BRP budget should be no more than $1,000 (1mm * .001).  Now say,
> the 
> probability of a security "incident" is .01 (10 times more likely) but the
>
> assets at risk are only $100,000.  Then, the question you should ask is, 
> (again assuming BRP spending is more) why are we not spending more/as 
> much/etc on security, which has a much greater probability of occuring
> BTW, 
> than BRP?
        [Kunz, Peter]  This is a very good point. You can even go further
and ask: What's the probability of a Windows client crashing and how much
does this downtime cost. Then multiply by number of users and you'll
suddenly see a surprisingly large number. Often, BRPs only consider the big
servers. But if you look at the whole picture, you get some astounding
figures.

> You can also try tying security to BRP.  BRP, IMO, consists of 3 types of 
> disasters, natural, man-made (security incidents), and machine (hardware 
> failures).  
        [Kunz, Peter]  Unfortunately, most BRPs only consider 1 and 3, where
3 is handled by redundancy.

        cu
        -pete