Posted by:
admin
15 years, 7 months ago
In my first post, I discussed the short-comings of ROI as an analysis tool for information security projects because it doesn't include a cost of capital. Using a cap rate will increase the accuracy of your analysis, but how do you come up with a good cap rate?
First, start with your firm’s WACC. Ask your CEO or CFO. If you can get a bank loan of some kind, your cost of debt is whatever rate the bank gives you. Your cost of equity would be some where above that. Then look at the project. Will it create new avenues of attack and increase risks? Will a successful attack result in significant consequences? Will it increase the likelihood of injury? If so, what would be the cost? These are subjective questions. I find that when faced with subjective questions, it's helpful to weigh the answers and average the results.
Below is a short table that compares an existing, well protected LAN to the same network with a WiFi network added. You weigh the importance for each element. For example, while the loss of confidential information is high, perhaps it is unlikely that you would have to announce that publicly, perhaps because you are not subject to the California Database Protection Act, GLB or HIPAA.
Click here to see the table
You can create your own table of factors. For example, you might include a category on how a successful attack might impact your personal situation at the firm. In this example, we're positing that the wireless LAN is twice as risky as a wired LAN. If your firm's WACC is 10%, this project should be 20.7%. If the expected savings are $1,000, the investment better be less than $4828.
Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)