>If you break into a safe, and there is nothing there....you leave. >This angle works for many businesses and users. > Wrongly, IMHO. There is a second side to it that the analogy fails to consider. If you open a safe you inmediately see what's in there. Any unusual thing is easy to spot. And you can only use a safe to store things. You don't use it to remotely break into another safe or to do illegal business with it (the safe won't go out to sell drugs or distribute pornography, it won't hide a hord of spies or fire a dynamite bomb to a bank's safe). But your computer may -once broken into- be used to send illegal data, sell illegal items, break another computer's defense lines, etc... I remember one case in which the secret services of a country contacted one University complaining of somebody breaking in their systems from there. When followed, the chain pointed to some other countries' secret services and an embarrassing situation for the University. Now think how would your small business feel if, say the DFA said that some colombian cartel was using your business to clear their laundry or sell their stock. And how would you explain that you have nothing to do with that, and that you don't care if they use your computers for that since you don't store your sensitive data in that safe. For an anlogy, say you leave the doors to your company quarters open by night and that you never worry to look into the basement where a satanic ring cannibalizes evary day a victim or two... The point is that everybody closes doors when they leave work. And while they are there they keep an eye on everything. And that's more valid the smaller the business is. Hell, even the hot-dog seller locks his little carriage when he goes to sleep. Being too simplistic when estimating costs of break-in in the modern age of IT can cost you more than you expect. Including a nice touristical trip to the finest prisons of Taiwan -if you're lucky. That's where affordable and easy to use IDS systems should come in. jr