|
 Security and Return on Investment
It’s not easy, but more and more businesses are looking at ways to calculate a Return on Investment for their security spending. All businesses take risks if they can lead to rewards. That’s partly what return on investment (ROI) is all about. In exchange for this much money spent, you hope to reap that much more in return. But what about investments whose returns aren’t easily measured in dollars and cents? For example, how do you measure ROI for security? This article looks at new ways that businesses are making the ROI case for this critical investment.
Apples and oranges
It’s a conundrum that plagues businesses large and small as they strive to wring competitive advantage from every dollar they spend: Where is the quantifiable proof that X amount of spending will prevent Y amount of losses due to security breaches? Traditional cost-benefit analysis hasn’t been much help here because costs and benefits need to be measured in the same terms. That’s easy with some straightforward revenue-enhancing investments, but not with security, where it’s often difficult to express the benefit in dollars. For many companies, the benefit of their security investment often boils down to so-called “soft” returns — such as an enhanced brand image by avoiding the negative publicity associated with being hacked — and other such claims that are hard to quantify. Perhaps it’s not surprising that, in the absence of hard numbers, advocates for increased security spending sometimes find themselves falling back on fear, uncertainty and doubt – or FUD – to make their case.
Making the case for ROSI
But in the past few years a body of research has grown up supporting the proposition that it is possible to calculate a tangible return on security investment (or ROSI). Much of this research comes from the fields of risk assessment and risk management. It looks at such things as cost reduction related to risk mitigation and productivity gains associated with security investment. While the math and economics underlying these studies are beyond the scope of this article, consider the following developments: Researchers at the University of Idaho assessed the cost-benefit trade-offs for a network intrusion detection system (IDS) they built. The team assigned costs for detecting and responding to various intrusions, and for a wide range of tangible and intangible assets. Their goal was to prove that that it’s more cost-effective to deal with attacks using intrusion detection than through other means. Their conclusion: An IDS that cost $40,000 and was 85 percent effective resulted in a ROSI of $45,000 on a network that was expected to lose $100,000 yearly as a result of intrusions.
In another study, researchers from Stanford, MIT, and consultancy @Stake calculated the value of incorporating security at various stages in the software development process. Using a combination of public and proprietary data about the application-development process, the team built a time-phased model. Their findings: ROI is 21 percent when security is incorporated early in the design phase but declines to just 12 percent when incorporated later in the testing phase. The researchers also found that the cost of fixing four bugs during the testing stage totaled $24,000 but ballooned to $160,000 if done after the software was deployed. In a third study, researchers erected a network infrastructure similar to that used by companies conducting transactions over the Internet.
Performance metrics were taken to establish a baseline throughput rate; security measures were then applied in steps, and new metrics were taken and compared with the baseline metrics. Researchers found that applying appropriate security measures can create efficiency gains – that is, increased network throughput –of more than 3 percent. No one said it’s easy
As the above examples show, calculating a tangible ROSI is math- and labor-intensive. But the point is that it can be done. Research is now available to help you calculate the cost of security incidents to your company and the probability that a given incident will occur. For example, the University of Idaho team came up with the following formula for calculating ROSI: (R-E)+T=ALE, and R-ALE=ROSI (where R = the cost per year to recover from an intrusion, E = the savings gained by stopping the intrusion, T = the cost of the intrusion detection tool, and ALE = the Annual Loss Expectancy). Bottom line: Creating a defensible economic model for ROSI through quantified risk analysis is possible.
The big picture
The increased attention paid to ROSI comes as security budgets are being scrutinized like never before. At the same time, the threat of cyber attacks continues to grow each day. According to CERT, 2003 is on course to rack up more than twice last year’s 82,094 reported IT security incidents. All the more reason to “make security part of the business process,” according to Linda McCarthy, the author of “IT Security: Risking the Corporation.” To support that stand, McCarthy cites two overarching threats to corporate computer security: the spread of fast-spreading, “blended” threats (i.e., malicious code) and insufficient funding allocated by managers for security initiatives. She also makes a point that is essential to any discussion about security and ROI today: companies that negligently allow their security to be compromised can be sued by victims of crimes committed by others. McCarthy’s further contention that successful information security must start at the top of an organization underscores another point about the growing importance of ROSI: It is a way for security experts and business managers to speak the same language.
Conclusion
Proving the value of security in cold, hard numbers will never be easy. It takes time, legwork, and a willingness to gather a veritable armada of data. ROSI is emerging as the preeminent way to make a solid business case for security spending — especially in today’s chilly economic climate. Companies that don’t at least begin to go down this path could find themselves increasingly at risk.
–reprinted from Symantec
|
