“An important first step is to evaluate risk accurately,” he says, “rather than responding willy-nilly to the threat du jour.”
Although benchmark costs taken from industry peers can be useful, nothing compares with having a record of one’s own. “It’s difficult to make a good budget or spending decision without actual facts,” Lawson says.
He developed a calculator that lets companies estimate how much incidents like SQL Slammer have cost them. The calculator then assesses how much loss a given level of security might have prevented.
The example shows the impact of a SQL Slammer attack on a global manufacturing company. Three levels of security are assessed: basic, in which a single person is responsible for identifying and installing required patches; intermediate, in which teams of staff are responsible for applying patches; and high end, in which the company uses a system that automatically checks for and applies patches.