Home
News
E-mail Newsletters
Blogs
Tech Dispenser
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Print Subscriptions

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Calculating security ROI is tricky business

Marcia J. Wilson   Today’s Top Stories    or  Other Security Stories  
 

Sign up to receive Security Resource Alerts

July 24, 2003 (Computerworld) -- Return on security investment has become a hot topic.


IT departments have traditionally been viewed as cost centers, though they have learned to provide a business-case analysis for IT initiatives. Information security departments are trying to figure out how to do the same thing.


They can't sell security initiatives based on fear anymore. They have to come up with the same justifications as any other business unit, complete with the dreaded metrics, or hard financial facts.


ROI is about revenue generation, cost savings or increased productivity. IT has learned to show, for instance, that upgrading the server farm or network will provide x% increased productivity by virtue of faster access of mission-critical applications and that installing a virtual private network (VPN) will provide x% increase in productivity by virtue of availability of the network to remote and mobile employees. But how can security prove ROI for preventive measures that require capital expenditures, additional manpower and a steep learning curve?


Some people claim that trying to prove return on security investments is a waste of time. It's all about risk management, they say. Meanwhile, security vendors are champing at the bit to prove that ROI on security is possible and have gone to elaborate lengths to prove that their products will provide significant returns. Managed security service providers are saying, "Just let us handle your security for you, and we'll show you how you can reduce risk and cost."












Opinion ColumnMarcia Wilson
Marcia J. Wilson holds the CISSP designation and is the founder and CEO of Wilson Secure LLC, a company focused on providing independent network security auditing and risk analysis. She can be reached at marcia@wilsonsecure.com.

You know you need firewalls, VPNs, a secure network architecture, encryption, digital signatures, improved backup and restore capability, filtering, monitoring, intrusion detection/prevention and single sign-on capabilities. How are you going to justify the expenditures?


What are you trying to protect?


Here are some steps to take when trying to calculate ROI:


  • Identify your information assets: Assets can be a resource, a product, the networked computing infrastructure, protected health information, or customer or employee data. Losses in the areas of confidentiality, integrity or availability can have a specific dollar value or be intangible, as with loss of reputation.


  • Identify threats and vulnerabilities: Anything that causes an unwanted outcome is a threat. Threats come in many forms and have varied effects. Earthquakes are threats. Lawsuits are threats. Vulnerabilities are weaknesses or the absence of adequate safeguards.


  • Do an asset valuation: Once you've identified your assets and the threats and vulnerabilities that beset them, it's important to go through an asset valuation process. Why go full throttle on a project to secure an asset that isn't of high value to the organization? You can create a matrix and value your assets simply in terms of high, medium and low value to the organization based on your own definitions. For each asset, consider what the total cost, initial and ongoing, is to the organization for the full life cycle of the asset. Determine what the value of the asset is in terms of production, R&D and criticality to the business model (tangibles and intangibles). Answer the question of what the value of the asset is in the marketplace including intellectual property rights.


Gather metrics


Once you understand what you have, you need to understand what it would cost the company to lose it vs. what it would cost to safeguard it. There are standard formulas that can be used:


The Exposure Factor (EF) for a particular asset is the percentage of loss if an event occurred.


  • Example: A primary e-commerce Web server is compromised and becomes unavailable. The server has been valued at $5,000. The EF has been deemed to be 75%.


Single Loss Expectancy (SLE) is the specific dollar amount assigned to the event if it occurs.


    Asset Value ($) x EF = SLE


  • Example: The asset valued at $5,000 multiplied by 75% equals $3,750. This is the cost for a single occurrence of the Web site being unavailable.


Annualized Rate of Occurrence (ARO) is the estimated frequency in which the event could occur.


  • Example: The ARO has been estimated to be three times per year based on types of vulnerabilities and threats that are known and documented that relate to the type of server.


Annualized Loss Expectancy (ALE) is derived by the following formula:


    SLE x ARO = ALE


  • Example: $3,750 x 3 = $11,250


You have a list of assets; you've ranked them according to importance to the organization (qualitatively and quantitatively); you've attached dollar figures to the loss or unavailability of the asset. You begin to understand the risk. There's no fear in these calculations. There's a realization of value and risk. The need to place a priority on security projects should be clearer.


Stop. I am tremendously oversimplifying this, but if you can get this far, you will be further than most organizations. The effort involved in pulling this information together takes a dedicated team effort from across the organization (engineering, marketing, sales, finance, IT, security, executive management, development, production operations). It's no simple task. Some excellent work in this area is available that applies these formulas in depth to various scenarios. Read David Kinn and Kevin Timm's two-part series on justifying the expense of intrusion-detection systems.


Safeguards


This is where you set about to understand what types of safeguards are necessary to implement and in what order they should be implemented. This is also where you prioritize projects based on the asset valuation process and figure out how much it's going to cost. Now, you can set about to determine what the ROI on security could be. Forward and creative thinking is required. To suggest security solutions at this juncture would be wrong. Each organization, each industry, is unique, and legislation (such as the Graham-Leach-Bliley Act, HIPAA, the Sarbanes-Oxley Act) is driving organizations forward at an urgent pace.


Real return?


It has been suggested that there is no real return on security investment -- there is only risk management. However, ROI isn't strictly about generating revenue; it's also about increasing productivity and cost savings. There are very few cases of security initiatives that can actually provide revenue generation. You can provide a means by which revenue can be generated, such as creating a secure VPN environment through which customers and partners can transact business. You can buy a network management system that costs you $300,000 and have one network engineer man it vs. hiring four network engineers to individually monitor systems and log files, correlate data, draw conclusions and make changes to the system. Not a hard sell. What about purchasing an intrusion-detection and -prevention system? You have to hire an employee to administer the system if you don't have one already. You will pay for the installation and training on the system. How do you calculate the ROI on that?


You need to familiarize yourself with recent studies and industry reports. One report, titled "Cost-Benefit Analysis for Network Intrusion Detection Systems" (download PDF), that came out of the University of Idaho provides useful statistics and methods. The research paper takes a quantitative and qualitative look at the security risks in a distributed network environment, creation of a cost model and cost-benefit analysis for an IDS. The methods and models used in the report are a good template for evaluating ROI. The author and researcher's work is now being widely read and quoted.


The conclusion is that you can develop return on a security investment. To do that, you're going to have to dig deeper than you probably have had to in a long time. You have to get the big picture first and then drill down to the most minute detail, and when you've done that, you'll be close to proving how a security initiative is going to reduce cost, improve productivity and even possibly generate revenue.



Do you think a company can show ROI from its investment in security? We'd like to know what you think. Post your opinions and see what others have to say in our discussion forum.





Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story

Calculating security ROI is tricky business
Virus writers in the wild
Taxes, death and policy
Kazaa Huzzah!

Blogs

"This company's infrastructure group is running a disaster recovery exercise with a reluctant participant: an IT manager who's notorious as..." Read more...
"It's IT Blogwatch: in which Mozilla's Firefox Web browser continues to gain market share, smashing records as it does so...." Read more...
Read more Security posts or See all Blogs

Microsoft promises four patches next week
Google gives away home-cooked Web application security scanner
Storm botnet stages Fourth of July attacks
More top stories...
Microsoft trumpets security additions in upcoming IE8
Apple cuts price of high-end SSD MacBook Air by $500
Ultrathin showdown: Apple MacBook Air vs. Lenovo ThinkPad X300 vs. Toshiba Portege R500

This old laptop: Revitalizing an aging notebook on the cheap
All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how.
Bill Gates moves on
Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft.
Five things you should never tell your boss
There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss.
Hands-On: Firefox 3 fixes what's broke and keeps what's right
With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be.

FROM THE BLOGOSPHERE

Windows Vista A to Z
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
IT Careers 2010
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
Data Center Management Zone
Enterprise-Class Security Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
Business Intelligence and Analytics Zone


Ads by TechWords

See your link here
Why SaaS is Vital to Email and Web Security
Why SaaS is Vital to Email and Web Security
Download this webcast, free, compilments of Webroot Software
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Eliminate SPAM, Gain Productivity
Get this white paper now!
(Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Deploying Virtualized NetWare on Linux Whitepaper
Toward More Flexible, Next-Generation Collaboration Solutions
Driving Business Success Through Workgroup Choice and Flexibility
View more whitepapers 

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect<