Just Who’s Being Exploited?
2008/04/30/0847RTFA: http://www.securityfocus.com/columnists/470
Even the clumsy, rudimentary risk pricing using Annualized Loss Expectancy (ALE) that estimates the projected cost of recovery using the number of likely occurrences makes worm defense worth hundreds of thousands of dollars for a bank, hospital or large enterprise. When the costs of recovery projected by risk models for IT security are compared with the amounts being paid for 0-day vulnerabilities, there is a big scary gap that shows one of the following:
1. according to the market prices for 0-day exploits, the security risk from 0-day vulnerabilities is vastly overestimated,
2. according to IT risk models, vulnerabilities are completely underpriced, or
3. most 0-day developers lack basic negotiation skills.
Totally wild concept: the damage from software vulnerabilities costs dramatically more than the labor that uncovers those vulns. Therefore, should undisclosed vulns sell for more?
RSS feed