[Techtalk] the cost of security holes debate

Megan Golding meggolding at yahoo.com
Mon Jul 22 15:01:20 EST 2002


--- Carla Schroder <carla at bratgrrl.com> wrote:
> "If you're going to play a silly numbers game, at least make it
> fair. Either don't count security issues where there were no
> victims or assign a weight to each. For example, a Nimda would
> be a 10 but a "potential security hole" that was reported before
> real users fell victim would be a one. Also, give more points to
> those problems where no secure alternative exists.
> 
> "Better yet, let's not play the game at all.
> 
> Thank you, Ed Sawicki.  http://www.alcpress.com

Right on, Ed! Thanks, Carla, for sending Ed's comments to the list.

Ed's comments about the misleading nature of software security
metrics as determined by counting vulns posted to Bugtraq remind me
of something I heard at work. The lead architect at my company has
long extolled the "Economics of information security" -- he talks
about how much a company is willing to spend to protect an item of
some value. The idea is that you probably wouldn't spend $10 to
protect a $1 item if the risk of loss is relatively low.

In the same line-of-thought, I'd suggest that the software security
metrics be based on the economics of the situation.

Let's say:

C = Cost to patch/replace/make secure. (This is mostly a cost in work
hours for a systems administrator.)

R = Risk of exploit. (Is this a vuln announcement? An exploit
announcement? Exploits are far more dangerous than vulnerabilities.)

and 

S = Overall security

then,

S is inversely related to C (or S = 1/C)
and
S is inversely related to R (or S = 1/R)
or
S = 1/(CR)

What other factors come to mind for quantifying the cost of security
holes and the overall security of a system?

Meg


__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com



More information about the Techtalk mailing list