thestar.com.my

thestar.com.my         
 Home > Online Exclusives > Stories
Tech News
In.Tech
 Online Exclusives
 Home User
 Corporate IT
 Features
 Editorials
 Education
 Reader's I/O
 About Us
Handhelds
Computers
Software
Gaming
Peripherals
Components
Personal Electronics
Misc
Archives

Your IN.put
Measuring ROI on your security spending

More...

Measuring ROI on your security spending

by ALAN SEE, Chief Executive Officer, e-Cop.net Surveillance Sdn Bhd

RETURN on Investment (ROI) is a common issue among corporate management. The question can seldom be answered to everyone’s satisfaction. It is especially harder to answer in the information security context where a lack of data makes it difficult to quantify what exactly security spending earns.

A couple of weeks back, I paid a courtesy call on a friend of mine who is the IT Head of a big insurance firm. He told me of the difficulty in obtaining an information security budget from the top.

The management knows the threat is there but they do not feel the threat. In other words, they cannot justify the spending as they do not have a clear picture of the returns. It happens everywhere. For example, no one buys a burglar alarm until someone they know is robbed.

For that reason, many security vendors also use the Fear, Uncertainty and Doubt (FUD approach to sell security. FUD is commonly practised to make a customer feel insecure about future product plans with the objective of encouraging the sale of security products. However, this method is hardly compelling especially when budgets are already stretched wafer-thin.

Security is always seen as an investment where cost is clearly delineated, and therefore requires a quantified ROI. What does one mean exactly by this “Return on Investment” – and apart from it, what other common metrics are used to measure security investments?

Justifying ROI

IT IS often difficult to quantify expected returns, while the costs can be clearly delineated; most of the time it is always more instructive to involve the consideration of “Cost of No Investment”.

Other common metrics used to measure security risk include:

a) Annual Loss Expected (ALE) = the expected rate of loss multiplied by the value of that loss.

b) Security savings vs Benefit = A calculation based on the amount that can be saved by reducing the rate of successful attacks and damage per successful attack.

c) The Exposure Factor (EF) = A percentage of loss on an asset if an event occurs.

d) Single Loss Expectancy (SLE) = A calculation based on specific dollar value assigned to an event if it occurs.

e) Total Cost of Ownership (TCO)

Every budget discussion requires consideration of the cost of a product or service against the expected return on the investment. However, where information security ins concerned, ROI often needs to be evaluated in a completely different light, otherwise commonly known as “Return on Security Investment”.

Return on Security Investment (ROSI)

Return on Security Investment (ROSI), being the very new approach to security investment, is a deliberate attempt to wrap accurate figures around the spending, and allow it to be judged under the same accounting ROI measurement as most other investments a company may make.

The point of maximum return on security investment is where the total cost of security is lowest — including both the cost of security events and the cost of the security controls designed to prevent them.

Some guidelines on how it can be measured:

- Potential and actual intrusions detected at the network and application level.

- Virus incidents — in terms of raw numbers and impacted data.

- Authentication and authorisation time — how long it takes to authorise a user and then grant access.

- Security-patch application rates — how many, how often, by whom?

- Cycle time for forensics response — how fast to respond and recover; type of damage done.

Summary

Giving an accurate and satisfactory answer is never easy. A customer should be made to understand his organisation’s view of risk as this in turn will determine how much he should spend on information security.

Quantifying ROI is not an easy task; however, it is every information security professional’s responsibility to indicate to the management the risks facing his business.

For a risk-averse organisation, the issue of ROI is often relatively unimportant. For an organisation willing to take the risk, the ROI will be an important criterion in the decisionmaking.

Next month, I will share with readers the arguments on using Return on Security Investment to justify security spending.

Related Stories
• Measuring ROI on your security spending   Monday, July 05, 2004
 


thestar.com.my Logo    More @ The Star Online:
   News · Business · Sports · Entertainment · Lifestyle · Technology · Education · Archives
   Classifieds · Directory · e-Cards · Motoring · Property · Jobs · Kuali · Sitemap

Copyright © 1995-2004 Star Publications (Malaysia) Bhd (Co No 10894-D)
Managed by I.Star.