|
And he's wrong. The loss isn't just 1 million, and calling a certainty a risk is just baffling. If we assume the legacy system actually needs 10 million in enhancements to be adequately protected, I think it's safe to say it's a train wreck security wise. For that, and other reasons (Sony assume they will get owned) then it's afe to assume the system is going to get compromised. So its not a risk anymore, it's a certainty. So with that said, if the cost is report is 1 million, and the system is vulnerable, and they expect to get compromised then it's not just going to cost them just 1 million. It's going to cost them at least 11 million, or more. Further, the "don't dix, just accept the risk" costs also won't just be 1 million, it's going to be 1 million every time it's compromised until they fix it. Since he's only accounting for the cost to report the breach, and the box is STILL owned and STILL vulnerable, it's going to keep getting compromised. So its 1 million times each event, which is a potentially infinite since nothing's changed to stop the next event. To stop that infinite cycle, he has to pay to fix it, or keep paying to report. Either way he's paying more than 1 million. And since Sony I'm sure isn't that stupid, let's assume someone with common sense will order him to stop accepting the risk and the bleeding, then his real risk cost is 1at lesst 1 million to report and fix once that decision is made (and fixing is probably going to cost more now that the original 10 million since the system is now compromised too). I'm not sure if he realizes this or not, or if it was a clumsy attempt to explain risk, but at least in the statements reported that's a critical flaw in his reasoning. And that's why what he said isn't just unconvincing, it's wrong. If that's how Sony makes risk management decisions I have a Pinto to sell them. |