> They can afford to pay creatives, but they can't afford to pay for a few more security engineers?
So how do you measure their risk and the probability of being damaged? Serious security experts are STILL trying to figure out how to calculate these things. Insurance companies still have trouble "properly" pricing cyber insurance. The insurance companies are doing it, but they are way behind their ability to price for other forms of disasters.
So how much should they spend towards cyber security? How far off are they from that amount? We don't know. (well maybe we'll know from the leaked documents).
You do that through a Security Risk Assessment. There are plenty of models (e.g. Octave) out there to help a security engineer conduct a Risk assessment on an organization's infrastructure. Moreover, a Security Risk Assessment is very strongly suggested by any Security Compliance Program that deals with sensitive information.
This dump clearly shows personally identifiable information, something that would be easily classified as sensitive (e.g. SSNs). I'm very sure Sony Pictures classified their leaked movies as sensitive since it would cause massive financial loss (which happened) if it was stolen.
If anybody was doing a Risk Assessment, protecting this critical part of the infrastructure would have been number 1 on the list.
Hackers are even claiming that a physical door with access to the sensitive environment was left unlocked. That's security 101!
So how do you measure their risk and the probability of being damaged? Serious security experts are STILL trying to figure out how to calculate these things. Insurance companies still have trouble "properly" pricing cyber insurance. The insurance companies are doing it, but they are way behind their ability to price for other forms of disasters.
So how much should they spend towards cyber security? How far off are they from that amount? We don't know. (well maybe we'll know from the leaked documents).