This technique of risk analysis can be applied to almost any decision about any security measure: It's worthwhile only if it costs less than the reduction in your expected loss per year. For example, there are a number of special disks available now that have specialized on-disk encryption hardware. How much of a premium is it worth to buy one of these disks, compared to using encryption software? Simply extend the reasoning: If the special hardware makes it 100 times harder to get data off the disk, the expected loss per year is around $1. If the special hardware costs significantly more than $199, it doesn't actually
So the next time the CEO asks you one of these questions, you can make a back-of-the-envelope estimate in just a few seconds' thought. Won't that make you look good?
Wednesday, April 09, 2008
ComputerWorld has a nice article by Charlie Martin on "Assessing the risks and cost of encryption." It not only gives a reasoned justification for encryption of personal data on a laptop's disk, it explains a general method for doing a back of the envelope calculation (BOTEC) for any similar security/risk question.