Finally, a Real Return on Security Spending

If applied to real-life examples, the Idaho model could produce thedata that CIOs need in order to demonstrate not only that theirinvestment pays off, but by how much. Next, the Idaho team wants toput the ROSI analysis inside Hummer. As threats are detected, the boxwill compare response cost against damage cost. Only if the damagecost is higher will it stop an attack. In other words, the deviceitself decides if it's cost-effective to launch an emergencyresponse.

Of course, Hummer's data would be logged for review. Putting thosefeatures in commercial intrusion detection systems would yield reportsthat showed how much money CIOs saved using intrusion detection. Thiswould then allow them to compare the costs of one security systemagainst another. And wouldn't that be handy?

The Value of Building Security in Early

While Idaho was toying with Hummer, a group of researchers from MIT,Stanford University and @Stake, a security consultancy located inCambridge, Mass., was playing with Hoover.

Hoover is a database. Amassed by @Stake, it contains detailedinformation about software security flawsfrom simple oversights toserious weaknesses. Hoover reveals an ugly truth about softwaredesign: Securitywise, it's not very good.