> Sometimes it is hard to evaluate the real value of > information/assets processed in a company. > How to quantify the risks and in the end how > can be the identified risks met? The goal is > to provide BS7799 compliance of the security > policy but again - the most feasible. > There are a number of companies developing BS7799 compliance methodologies (including my company). I doubt you will find useful info in the open to that regard, but i will gladly be happy if I am proven wrong by someone in the list. > Most likely companies should not invest more money > into their information security than the value > of the possible loss is (in case of an incident)? > You're right. The trend nowadays is to "break even" between the decreasing curve of loss as you increase security and the increasing curve of cost of security as you increase security. The probability of an accident cannot be leveled off to zero, so there is no point in spending more than the loss you will face should an accident happen at the chosen level of residual risk. Again, putting real dollars (or euros ...) in those curves is more a matter of art then science and I doubt there are any public useful info out there. Please list, prove me wrong :-) -- Alessandro Bottonelli Owner of www.axis-net.it (italian only)