Comments on: A Barn Door Has No ROI http://securityviews.com/blog/2008/02/15/a-barn-door-has-no-roi/ Actionable security ideas for managers. Wed, 20 Aug 2008 10:19:32 +0000 http://wordpress.org/?v=2.0.2 by: The Security Catalyst » Carnival of the Security Catalyst Community for Tuesday, February 26, 2008 http://securityviews.com/blog/2008/02/15/a-barn-door-has-no-roi/#comment-4669 Tue, 26 Feb 2008 12:46:08 +0000 http://securityviews.com/blog/2008/02/15/a-barn-door-has-no-roi/#comment-4669 [...] I thought Scott penned a good look at ROI in A Barn Door Has No ROI. I often discourage people from bothering with ROI; I don’t find it to be a highly effective measure to communicate need. Instead, I generally suggest people work to reduce costs and communicate benefits in simple and common language (no jargon). Scott lays out a simple and easy to understand scenario that will help in the future. [...] […] I thought Scott penned a good look at ROI in A Barn Door Has No ROI. I often discourage people from bothering with ROI; I don’t find it to be a highly effective measure to communicate need. Instead, I generally suggest people work to reduce costs and communicate benefits in simple and common language (no jargon). Scott lays out a simple and easy to understand scenario that will help in the future. […]

]]> by: Barn Door Simple? Not Exactly… | RiskAnalys.is http://securityviews.com/blog/2008/02/15/a-barn-door-has-no-roi/#comment-4527 Thu, 21 Feb 2008 18:49:43 +0000 http://securityviews.com/blog/2008/02/15/a-barn-door-has-no-roi/#comment-4527 [...] Scott Wright of Scott Wright’s Security Views Blog wrote recently in his post “A Barn Door Has No ROI”: But how many organizations realize that investing in security safeguards is just like putting a door on a barn. It’s not so much trying to figure out how much money you will save if you put on a door. You know if you don’t put on a door, eventually, you’re going to have to buy a new horse. [...] […] Scott Wright of Scott Wright’s Security Views Blog wrote recently in his post “A Barn Door Has No ROI”: But how many organizations realize that investing in security safeguards is just like putting a door on a barn. It’s not so much trying to figure out how much money you will save if you put on a door. You know if you don’t put on a door, eventually, you’re going to have to buy a new horse. […]

]]> by: Scott http://securityviews.com/blog/2008/02/15/a-barn-door-has-no-roi/#comment-4396 Sat, 16 Feb 2008 11:44:16 +0000 http://securityviews.com/blog/2008/02/15/a-barn-door-has-no-roi/#comment-4396 I should have also mentioned that many organizations do use Baseline Security Standards of some kind, as a way of maintaining consistent treatment of common security issues. Most governments have baseline standards (Government Security Policy in Canada, ISO 27000 series as an emerging global standard, etc.) Organizations will often take one of these standards and tailor them for their own use. You may still need to do some form of economic analysis to see if the "expected losses" prevented by a safeguard are worth the cost of implementing it. But this is where a Threat and Risk Assessment can be used to identify appropriate safeguards that are recommended based on the risks to the organization beyond what baseline security standards would protect against. I should have also mentioned that many organizations do use Baseline Security Standards of some kind, as a way of maintaining consistent treatment of common security issues. Most governments have baseline standards (Government Security Policy in Canada, ISO 27000 series as an emerging global standard, etc.)

Organizations will often take one of these standards and tailor them for their own use. You may still need to do some form of economic analysis to see if the “expected losses” prevented by a safeguard are worth the cost of implementing it. But this is where a Threat and Risk Assessment can be used to identify appropriate safeguards that are recommended based on the risks to the organization beyond what baseline security standards would protect against.

]]>