Aside from subnetting, did you ever think you’d use math when joining the information security field?
As a CISSP, you may one day find yourself part of a risk analysis team. The job of this team is to figure out the cost of assets and their associated value. But what’s the difference between cost and value?
Let’s take the example of a single firewall that has stopped functioning for a 24-hour period.
Like the name suggests, the asset value is the value of an asset that will be included in the report by the risk analysis team, to the senior risk management team.
Suppose a company firewall costs $900 to purchase from a vendor like Cisco or Checkpoint. But this is the cost of the firewall, not the value. I know, it can be a little confusing, but if you master the following concept, you’ll do very well on the CISSP exam. Also, you have to know this!
Although the cost of the firewall is $900, the value is much more. Think about it, if a standalone firewall goes down for 24 hours, it allows malicious attackers to create connections to the company network. There is no longer a security device inspecting traffic coming in or out of the network. The company could have a router, but that just diverts traffic to different networks, it does not “inspect” the traffic, that is the main difference between a router and firewall.
Suppose a hacker manages to infiltrate the company file server, and steal employee social security numbers, in the real world we call this a living nightmare.
Let’s break down the value of a lost firewall:
Cost of Firewall: $900
Overtime staff hours to investigate and resolve issue: $5,000
Bad publicity: $3,000
Compliance fines: $2,000
Legal fees from customers suing because of lost personal information: $30,000
Hiring third-party vendors to resolve issue: $12,000
The total cost of a single firewall that stopped working for 24 hours: $52,900 !!
The value of a single firewall is $52,900. That is how much it is going to cost the company if a firewall goes down for 24 hours. This value number goes up the longer the firewall is down, which is why it’s important to get the problem fixed immediately.
As security professionals we can’t think that if a device goes down we just pay to replace it, we have to think about the broader impact.
Think about value over cost when taking your exam.