Search

Subscribe

Laptop Security Blog

Recent Posts

Recent Comments

Absolute Links

Links

COMMENT POLICY

Posts Tagged ‘security investment’

Can Security be Measured in ROI?

Thursday, September 4th, 2008

Bruce Schneier has written a great article on the use of ROI (return on investment) in business security decision making. Following this, businesses would only invest in security solutions that had a positive ROI – that the ratio of money gained (realized or unrealized) be higher than the cost invested. When comparing options, a company would choose that which had the greatest return for the stockholders.

So the question remains – do ROI models accurately determine if a security investment is “worth it”? Bruce Schneier notes:

“‘ROI’ as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It’s an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn’t make sense in this context.”

A data breach would have associated costs, so preventing one would have cost savings. This does impact the bottom line, although it’s an intangible figure.  As Schneier notes, though many security vendors provide an ROI model to meet the business demand for this measurement, the numbers cannot reflect accurate figures applied to your business.

So, how do you measure security investment?

  • Don’t spend more on a security problem than it’s worth
  • Don’t ignore security problems that cost money if cheaper mitigation alternatives are available

One option is to use annualized loss expectancy (ALE), a model that calculates the cost of a security incident (tangible & intangible) multiplied by the chance of that incident happening in a given year. This model will tell you what to spend to mitigate the risk. However, the model relies on good data, and it’s difficult to apply that to all areas of IT security. When it comes to cybersecurity, not enough data about crime or effectiveness of countermeasures exists to create an accurate model. The model also cannot anticipate large / expensive security issues.

So, the end result of all this is to trust your own analysis based on your own numbers and to use results as a general guideline only. Use your numbers along with sound risk management and compliance strategy when deciding on what security solutions you buy.

Image: Stockxpert.com

Tags: , , , ,
Posted in Business Security | No Comments »

Archives

Categories