Is something I refer to every other day. The list has articles which has lists of things like Print Screen utilities, File Recovery tools, and the item I referred to, today:
5 Key security questions that every executive should be able to answer
I found a security flaw on a customer system, which could allow Information Disclosure.
But how to present it to management?
I looked at what Eric Cole had written on determining the Return On Investment (ROI) for any risk, and here it is:
The FRED system baseline security setting is set at too low a security level.
The impact of this is that it would be possible for an attacker to gain access to FRED.
What is the likelihood of it occurring?
Low for external attacker,
Low -> Medium for internal attacker.
The vulnerability would require the following to exploit:
Knowledge of the FRED system. This information is readily available, and just requires an attacker to “join the dots”
If it occurs, what will it cost?
Exposure of confidential/sensitive corporate information.
Impact to our reputation, and customer confidence.
What will it cost to eliminate the risk?
30 hours of effort to configure FRED into a secure mode.
What will it cost to reduce the risk to an acceptable level?