lt
Quick Facts

Introduction to Viruses

  1. What is a computer virus?
  2. What kind of files can spread viruses?
  3. How do viruses spread?
  4. What do viruses do to computers?
  5. Virus Hoaxes

The Importance of Back Ups

Defining the Value of Information Security

Artistic Value

It's the Principle that Counts

Value Squared

Reaching the CEO's

They Just Want to Run Their Business

lt
lt
Defining the Value of Information Security

Dan Hadaway, Infotex

Three Meanings

You can spend days defining Information Security and, since it is such a moving target, just when you think you know the definition, it will be outdated! I like the way Steve Crutchley, CSO of 4FrontSecurity, Inc., puts it . . . "The internet is like electricity . . . you know it's there, but if you put your finger in the socket you get a shock. The same thing happens when you plug into a community of 400 million people!"
Meanwhile, I found more than ten different definitions of the word, "value." These definitions range from "monetary or material worth" to "worth in usefulness" to "the "precise meaning or import" to "an assigned or calculated numerical quantity" to "the sound quality of a letter" to "the shade of a color" to "the duration of a tone or rest" to . . . well, the list goes on and on.

For the sake of this article, let's reduce the definition of value to three meanings:

The Fallacy of Numerical Value

In selling the value of Information Security to organizations, I often hear advocates discussing Return on Investment. CSOs and CISSPs alike recognize "ROI" as the one acronym that catches the attention of bottom-line types, such as CEOs, CFOs, and Business Owners. But the discussion is usually accompanied by mumblings and murmurs of how hard it is to sell something that, if done well, is never noticed.
I frequently hear frustrated Information Security Sellers pitch security as an added necessity, like insurance. I call this the "Insurance Angle." The danger of this mentality expresses itself when shrugged shoulders change to determination, and Information Security Sellers fall victim to the temptation of using fear as a motivator.

"Yes!" they say, "the CEO buys insurance. Doesn't think twice about it! And Information Security will PREVENT things that we are AFRAID OF."

And thus the Return On Investment . . . the numerical value. The cost of inaction minus the cost of action.

Buy security, prevent disaster.

Like the Y2K Consultant, the Insurance Angle Seller is constantly seeking new clients, due to the resentment of existing clients. CEOs, CFOs, and Business Owners don't like to be scared into a business process. And they don't like false expectations -- unlike Information Security, all they had to do with that insurance policy was file it away.

So I propose a different approach. The second and third meaning of value (artistic and principled) are much more realistic, much more productive, and much more . . . well . . . valuable!

From: Indiana Information Security Web - http://www.iisw.cerias.purdue.edu/business_industry/defining_value.php

lt