Opinion: Calculating security ROI is tricky business

by Marcia J. Wilson, CCSP Staff Writer
April 08, 2004


"Reprinted from July 24, 2k3"
Return on security investment has become a hot topic.

IT departments have traditionally been viewed as cost centers, though they have learned to provide a business-case analysis for IT initiatives. Information security departments are trying to figure out how to do the same thing.

They can't sell security initiatives based on fear anymore. They have to come up with the same justifications as any other business unit, complete with the dreaded metrics, or hard financial facts.



ROI is about revenue generation, cost savings or increased productivity. IT has learned to show, for instance, that upgrading the server farm or network will provide x% increased productivity by virtue of faster access of mission-critical applications and that installing a virtual private network (VPN) will provide x% increase in productivity by virtue of availability of the network to remote and mobile employees. But how can security prove ROI for preventive measures that require capital expenditures, additional manpower and a steep learning curve?

Some people claim that trying to prove return on security investments is a waste of time. It's all about risk management, they say. Meanwhile, security vendors are champing at the bit to prove that ROI on security is possible and have gone to elaborate lengths to prove that their products will provide significant returns. Managed security service providers are saying, "Just let us handle your security for you, and we'll show you how you can reduce risk and cost."

You know you need firewalls, VPNs, a secure network architecture, encryption, digital signatures, improved backup and restore capability, filtering, monitoring, intrusion detection/prevention and single sign-on capabilities. How are you going to justify the expenditures?

What are you trying to protect?

Here are some steps to take when trying to calculate ROI:

• Identify your information assets: Assets can be a resource, a product, the networked computing infrastructure, protected health information, or customer or employee data. Losses in the areas of confidentiality, integrity or availability can have a specific dollar value or be intangible, as with loss of reputation.
  
  
• Identify threats and vulnerabilities: Anything that causes an unwanted outcome is a threat. Threats come in many forms and have varied effects. Earthquakes are threats. Lawsuits are threats. Vulnerabilities are weaknesses or the absence of adequate safeguards.
  
  
• Do an asset valuation: Once you've identified your assets and the threats and vulnerabilities that beset them, it's important to go through an asset valuation process. Why go full throttle on a project to secure an asset that isn't of high value to the organization? You can create a matrix and value your assets simply in terms of high, medium and low value to the organization based on your own definitions. For each asset, consider what the total cost, initial and ongoing, is to the organization for the full life cycle of the asset. Determine what the value of the asset is in terms of production, R&D and criticality to the business model (tangibles and intangibles). Answer the question of what the value of the asset is in the marketplace including intellectual property rights.

Gather metrics

Once you understand what you have, you need to understand what it would cost the company to lose it vs. what it would cost to safeguard it. There are standard formulas that can be used:

The Exposure Factor (EF) for a particular asset is the percentage of loss if an event occurred.

• Example: A primary e-commerce Web server is compromised and becomes unavailable. The server has been valued at $5,000. The EF has been deemed to be 75%.

Single Loss Expectancy (SLE) is the specific dollar amount assigned to the event if it occurs.

Asset Value ($) x EF = SLE


• Example: The asset valued at $5,000 multiplied by 75% equals $3,750. This is the cost for a single occurrence of the Web site being unavailable.

Annualized Rate of Occurrence (ARO) is the estimated frequency in which the event could occur.

• Example: The ARO has been estimated to be three times per year based on types of vulnerabilities and threats that are known and documented that relate to the type of server.

Annualized Loss Expectancy (ALE) is derived by the following formula:

SLE x ARO = ALE


• Example: $3,750 x 3 = $11,250

You have a list of assets; you've ranked them according to importance to the organization (qualitatively and quantitatively); you've attached dollar figures to the loss or unavailability of the asset. You begin to understand the risk. There's no fear in these calculations. There's a realization of value and risk. The need to place a priority on security projects should be clearer.

Stop. I am tremendously oversimplifying this, but if you can get this far, you will be further than most organizations. The effort involved in pulling this information together takes a dedicated team effort from across the organization (engineering, marketing, sales, finance, IT, security, executive management, development, production operations). It's no simple task. Some excellent work in this area is available that applies these formulas in depth to various scenarios. Read David Kinn and Kevin Timm's two-part series on justifying the expense of intrusion-detection systems.

Safeguards

This is where you set about to understand what types of safeguards are necessary to implement and in what order they should be implemented. This is also where you prioritize projects based on the asset valuation process and figure out how much it's going to cost. Now, you can set about to determine what the ROI on security could be. Forward and creative thinking is required. To suggest security solutions at this juncture would be wrong. Each organization, each industry, is unique, and legislation (such as the Graham-Leach-Bliley Act, HIPAA, the Sarbanes-Oxley Act) is driving organizations forward at an urgent pace.

Real return?

It has been suggested that there is no real return on security investment -- there is only risk management. However, ROI isn't strictly about generating revenue; it's also about increasing productivity and cost savings. There are very few cases of security initiatives that can actually provide revenue generation. You can provide a means by which revenue can be generated, such as creating a secure VPN environment through which customers and partners can transact business. You can buy a network management system that costs you $300,000 and have one network engineer man it vs. hiring four network engineers to individually monitor systems and log files, correlate data, draw conclusions and make changes to the system. Not a hard sell. What about purchasing an intrusion-detection and -prevention system? You have to hire an employee to administer the system if you don't have one already. You will pay for the installation and training on the system. How do you calculate the ROI on that?

You need to familiarize yourself with recent studies and industry reports. One report, titled "Cost-Benefit Analysis for Network Intrusion Detection Systems" (download PDF), that came out of the University of Idaho provides useful statistics and methods. The research paper takes a quantitative and qualitative look at the security risks in a distributed network environment, creation of a cost model and cost-benefit analysis for an IDS. The methods and models used in the report are a good template for evaluating ROI. The author and researcher's work is now being widely read and quoted.

The conclusion is that you can develop return on a security investment. To do that, you're going to have to dig deeper than you probably have had to in a long time. You have to get the big picture first and then drill down to the most minute detail, and when you've done that, you'll be close to proving how a security initiative is going to reduce cost, improve productivity and even possibly generate revenue

*Note: Some links to stories may no longer function or now require you to register to view.




by Marcia J. Wilson ComputerCops Staff Writer

Marcia J. Wilson, holds the CISSP designation and is the founder and CEO of Wilson Secure LLC, a company focused on providing independent network security assessment and risk analysis. She is also a free lance columnist for Computer World and Security Focus.

She can be reached at marcia@wilsonsecure.com. Corporate website: wilsonsecure.com (see Prime Choice top left)

Copyright ©Marcia J. Wilson All Rights Reserved 2004.