Author :
Geer, Daniel E., Jr. ; Conway, Daniel G.
Abstract :
Cost-benefit analysis in security is appealing as a standard approach, admirable for its simplicity, appreciated for its generality, but otherwise worthless. Every cost-benefit calculation requires a consistent scale, and the more people this affects, the less they\´re likely to agree on whatever rescaling this forces. Thus, questions such as "What is a human life worth?" or, in our case, "What is a secure machine worth?" yield indefensible answers, which serve as an awkward basis on which to begin formal analysis. For the record, we believe our lives to be more valuable than standard governmental estimates. Cost-effectiveness analysis simply assumes that you\´ll spend the money, so it asks "How many lives can you save?" or, in our case, "How much breakage can you prevent?".
Keywords :
cost-benefit analysis; computer security; cost-benefit analysis; cost-effectiveness analysis; digital assets; Automatic testing; Cardiac arrest; Costs; Educational institutions; Humans; Lab-on-a-chip; Libraries; Manufacturing; Public healthcare; Security; cost-benefit analysis; cost-effectiveness analysis; for good measure; security & privacy;
