Security Cost vs. Risk of Loss

This might be the most difficult comparison to make. Implementing a form of security seldom involves just the cost of acquisition, such as the purchase price of a firewall or an authentication server like TACACS+. There can be network performance implications if the new technology increases latency through a device. The new technology or policy could reduce user access or increase user effort in using the technology.

Just as identifying costs associated with implementing some security changes might be difficult, many types and levels of risk can also accrue if the service or policy isn’t implemented. The loss could include the following:

• Loss of company data or intellectual property, such as the accidental or intentional corruption or deletion of files

• Loss of service, such as the loss of a server from a DoS attack, the loss of data storage space because of the replication of nonbusiness files, or the loss of a web site defaced by a hacker

• Loss of privacy, such as the copying and/or viewing of company or personnel information by unauthorized users

• Loss of reputation, such as the company embarrassment and possible loss of business associated with the disclosure that customer files or credit card information has been accessed by outsiders

  Note

  I once had a client who got a call from a police department several states away informing him that his web site was hosting a porn exchange site. The officer provided the exact address and told the client to “take care of it.” The officer went on to explain that the call was a courtesy because he was convinced this was an unauthorized use of the server, but that they could just as easily have showed up with warrants and turned the whole place upside down. The site was removed. The company developed a security program, but the client was fearful for a long time that the word might somehow get out and damage his reputation within his client community.