Finally, a Real Return on Security Spending

CMU researchers took all the CERT data from 1988 to 1995 and modeledit. Among the variables they defined were what attacks happened, howoften, the odds any one attack would strike any given company, whatdamage the attacks produced, what defenses were used and how they heldup.

The researchers used the data to build an engine that generatedattacks on a simulated enterprise, which reflected the rate andseverity of attacks in the real world. The computer program was anattack dogCMU set it loose on a fictitious network and said,"Sic!"

Then they recorded what happened, how the network survived theattacks. After that, the researchers tweaked the variables. Sometimesthey gave the faux-enterprise stronger defenses (higher cost). Othertimes they increased the probability of attack to see how the networkwould hold up against a more vicious dog.

An inventive aspect of the CMU study was that it didn't treat securityas a binary proposition. That is, it didn't assume you were eitherhacked or not hacked. Rather it measured how much you were hacked.Survivability was defined as a state between 0 and 1, where 0 is anenterprise completely compromised by attack, and 1 is an enterpriseattacked but completely unaffected. This provides a far more realisticmodel for the state of systems under attack than an either-orproposition.

The data from the simulation was plotted on a curve. The X-axis wascost, which was in absolute terms (that is, a cost of 10 is twice asmuch as a cost of 5, but they don't have direct analogs to dollars).The Y-axis was survivability, plotted from 0 to 1.