What Price Security?

By Tom Schmidt

All businesses take risks - especially if they can lead to rewards. That's partly what return on investment (ROI) is all about. In exchange for money spent, you hope to reap something in return. But what about investments whose returns aren't easily measured in dollars and cents? For example, how do you measure ROI for security? This article looks at new ways that businesses are making the ROI case for this critical investment.

Apples and oranges

It's a conundrum that plagues businesses large and small as they strive to wring competitive advantage from every dollar they spend: Where is the quantifiable proof that X amount of spending will prevent Y amount of losses due to security breaches? Traditional cost-benefit analysis hasn't been much help here because costs and benefits need to be measured in the same terms. That's easy with some straightforward revenue-enhancing investments, but not with security.

For many companies, the benefit of their security investment often boils down to so-called "soft" returns -- such as the protection of their brand image by avoiding the negative publicity associated with being hacked. Perhaps it's not surprising that, in the absence of hard numbers, advocates for increased security spending sometimes find themselves falling back on fear, uncertainty and doubt -- or FUD -- to make their case.

Making the case for ROSI

In the past few years a body of research has grown that supports the -- theory that it is possible to calculate a tangible return on security investment (or ROSI). Much of this research comes from the fields of risk assessment and risk management. It looks at such things as cost reduction related to risk mitigation and productivity gains associated with security investment. While the math and economics underlying these studies are beyond the scope of this article, consider the following developments:

• Cost-benefit trade-offs Researchers at the University of Idaho assessed the cost-benefit trade-offs for a network intrusion detection system (IDS) they built. The team assigned costs for detecting and responding to various intrusions, and for a wide range of tangible and intangible assets. Their goal was to prove that it's more cost-effective to deal with attacks using intrusion detection than through other means. What does this mean? Their conclusion: An IDS that cost $40,000 and was 85 percent effective resulted in a ROSI of $45,000 on a network that was expected to lose $100,000 yearly as a result of intrusions.
• Timing of security implementation In another study, researchers from Stanford, MIT, and consultancy @Stake calculated the value of incorporating security at various stages in the software development process. Using a combination of public and proprietary data about the application-development process, the team built a time-phased model. Their findings: ROI is 21 percent when security is incorporated early in the design phase but declines to just 12 percent when incorporated later in the testing phase. The researchers also found that the cost of fixing four bugs during the testing stage totaled $24,000 but ballooned to $160,000 if done after the software was deployed.    
• Baseline comparisons In a third study, researchers erected a network infrastructure similar to that used by companies conducting transactions over the Internet. Performance metrics were taken to establish a baseline throughput rate. Security measures were then applied in steps, and new metrics were taken and compared with the baseline metrics. Researchers found that applying appropriate security measures can create efficiency gains -- that is, increased network throughput -- of more than 3 percent.

No one said it's easy

As the above examples show, calculating a tangible ROSI is math- and labor-intensive. But the point is that it can be done. Research is now available to help calculate the cost of security incidents to an organization company and the probability that a given incident will occur.

For example, the University of Idaho team came up with the following formula for calculating ROSI: (R-E)+T=ALE, and R-ALE=ROSI (where R = the cost per year to recover from an intrusion, E = the savings gained by stopping the intrusion, T = the cost of the intrusion detection tool, and ALE = the Annual Loss Expectancy).

There is a great deal of  relevant data  to help you get started  at the Web site of the CERT Coordination Center of Carnegie Mellon University. Bottom line: Creating a defensible economic model for ROSI through quantified risk analysis is possible.

The big picture

The increased attention paid to ROSI comes as security budgets are being scrutinized as never before. At the same time, the threat of cyber attacks continues to grow each day, including the emergence of two overarching threats to corporate computer security: the spread of fast-spreading, "blended" threats (i.e., malicious code), and insufficient funding allocated by managers for security initiatives. As well, companies that negligently allow their security to be compromised can be sued.  

Conclusion

Proving the value of security in cold, hard numbers will never be easy. It takes time, legwork, and a willingness to gather a veritable armada of data. ROSI is emerging as the preeminent way to make a solid business case for security spending -- especially in today's economic climate.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.