[LINK] RFC: Cloud Computing

Stephen Wilson swilson at lockstep.com.au
Tue Nov 24 10:42:18 AEDT 2009



Roger Clarke wrote:
> Among other things, I'm going to have to do some differentiation 
> between applications, based on their importance.
>
> The 'mission-critical' jargon is dopey (an inappropriate import from 
> military contexts, where it *does* make sense).
>
> But some concept may be needed such as 'capable of bankrupting me if 
> it goes wrong', to distinguish from 'would be a handy adjunct to our 
> marketing analysis' and 'can go missing for a few days and it won't 
> matter much'.
Roger,

Standard risk management frameworks like AS 4360 or ACSI 33 provide 
means to characterise the severity of incidents.  You might find that 
sort of approach useful.

/begin{plug}
A few years ago I wrote a quantitative tool for NSW Government to 
calculate expected ROI from perimeter security expenditure.  I took the 
typical sorts of severity ratings (Low, Medium, Severe etc.) and 
ascribed dollar values coresponding to e.g. 'political embarassment and 
damage control', 'down time of two weeks', 'total ICT loss and need to 
revert to paper based processes' etc.  There's a 'calibration' table in 
my paper; the magic numbers are easily varied.
The model also featured predicted statistics of security events amd 
applied MonteCarlo techniques to generate expected spreads in the ROI.
http://www.gcio.nsw.gov.au/products-and-services/policies-guidelines/return-on-security-investment-rosi
or
http://lockstep.com.au/library/return_on_investment

/end{plug}

Cheers,

Steve Wilson
Lockstep
www.lockstep.com.au





More information about the Link mailing list