(Linda Tucci, Senior News Writer, SearchCIO-Midmarket) How can companies be free of security vulnerabilities? They could ferret out all the flaws in their computer products and patch them. They could prevent flaws from being exploited by shutting down systems. Of course, neither is good for business or the budget.

That's the view of Peyton Engel, a technical architect who heads the security assessment team at CDW Corp., at the recent Fusion 2009 CEO-CIO Symposium in Madison, Wis."Instead, companies need to spend less time reacting willy-nilly to security vulnerabilities and more time asking whether threats are likely to affect them," Engel said. He recommends companies identify the point of diminishing returns of patch management by weighing the probability and severity of the security vulnerability, rather than the severity alone.[...]

Calculated hype from security vendors
But calculating risk is itself a risky business. One formula, for example, calls for thinking about risk in terms of annualized loss expectancy. To determine this, you multiply the single loss expectancy, or the cost of a single incident, by the annual rate of occurrence (ARO), or how many incidents per year, to get a dollar figure per year. If the solution the security guy is trying to sell you is less than dollars per year, then it is a no-brainer and you should buy it.