Backups

[Gregory Boyce]

On Wed, 11 Feb 2009, Dan Ritter wrote:

> I lied. It's actually worth that much to you, multiplied by the
> number of times you need it.
>
> If it costs your company $10,000 a day to be without this
> system, and it would happen two days a year, then you can
> justify $19,999 each year on backup systems and procedures.

Back when I was working on getting my CISSP the books had the same 
equation.

Single Loss Expectancy (SLE) * Annual rate of occurance (ARO) = Annual 
Loss Expectancy (ALE)

Any security control that lowers your ALE by more than the cost of the 
control itself is worth implementing.  Anything else is a waste of money.

That's about the point where I realized that there was very little 
difference between upper management in a security group and an insurance 
company ;)