Home > Management and Careers > ROI

Computerworld - I would like to provide a counterpoint to Marcia Wilson's article regarding Security ROI (see story). I am in the camp of people who don't believe that security as an IT discipline can demonstrate ROI effectively. There are a number of reasons for this statement.

ROI is generally linked to the notion of the ability to create value. To most CIOs, value creation is expressed primarily in terms of financial benefit, although strategic impact and risk mitigation also are products of value creation, when they are measurable. Few CIOs would state that their security programs, including process and technology investments, could be traced to specific financial benefit to the company.

The equations cited in the article are standard quantitative risk assessment formulae. While the equations are sound, important statistical data is missing in most organizations to make the application of these equations meaningful. For example, there is scant, if any, hard data on this planet regarding Annual Loss Expectancy (ALE) or Annualized Rate of Occurrence (ARO) for security threats and vulnerabilities. Without these two data points, the formula is incomplete, and the risk rating (and potential return) is a very broad guess. In many areas of insurance underwriting, e.g., for life insurance or auto insurance, these factors are well known, and quantitative approaches are believable. For cyberthreats and vulnerabilities, there are few empirical databases, almost no loss/claim history from the large insurance companies, and the research done to date is valid only for certain niche technologies.

	Eddie Schwartz, CISSP, CISA, SSCP, MCSE, is an information security and privacy consultant. He can be reached at eddie@securevision.com.

Even if we did accept the notion that we could assign quantitative cost-benefit factors to the application of security technology and process to a risk management problem, there is another important question. Does the lack of security incidents within an organization really constitute an actual return on investment when the "return" does not tangibly increase productivity or revenue, or decrease operating costs or improve efficiency? One could argue that opportunity cost was avoided, but it was not the kind of cost that CIOs manage directly, as they do the hard costs of operations and maintenance. Also, these types of costs today are not budgeted expenses that were actually saved (and can be reused) in most cases.

CIOs have been searching for a way to justify security programs financially for a long time. The ROI and quantitative risk approach is reasonable for a few areas with real cost/benefit and investment data behind it (e.g., virus remediation costs, password reset costs, etc.). For other areas of security, I believe the right equation for now should be total cost of ownership, finding ways to blend security investments more effectively into all areas of IT and lower the total costs of running secure development, engineering and operations.

---

Do you think a company can show ROI from its investment in security? We'd like to know what you think. Post your opinions and see what others have to say in our discussion forum.

---

Read more about Security in Computerworld's Security Topic Center.