According to Jones, Information Security is the boolean possibility of an incident occuring, but risk is the probable frequency and magnitude of future loss. In regards to risk management, security has no meaning. The only relevant question is: What are the odds that I’ll lose?
There are many questions to consider when considering probability. For example, how often are these kinds of losses incurred? How often do these kinds of attacks happen to other people? I If this event does happen, what are the odds that we will be able to do anything about it; should we dedicate resources to logging every IP address that pings us, if attacks almost always come from a proxied address? Whats the capability of this threat; what’s the worst that can happen? And finally, what strength do I have to control it; is it worth it to install DDOS protections that will protect up to 50Gbps when the latest attacks weigh in at 1Tbps?
My gut reaction from reading that data would be no. But considering other factors may change my mind. Considering the recent trend of DDoS attacks turning downward in frequency, and discovering that attacks of a volume under 50Gbps are still used 58% of the time, when they are used at all. Upon learning that most DDoS attacks happen less than 25 times to an organization, and that 58% of the attacks are under 50Gbps, my mind would be officially changed.
This is the difference between information security and risk management. In the interest of security, an organization would want to enable DDoS protection up to a volume of 1Tbps. But the cost of such an endeavor would surely outweigh the potential savings that would accompany preventing a statistically infrequent one time attack.