RE: The Return on Investment of Good Security

["Warren Brunson" <Warren.Brunson () IdenTrust com>]

It seems to me that assessing ROI on good security is roughly the same
as assessing ROI on good corporate tax preparation, or on good driving
by a firm's delivery fleet. 

Unless you are selling security, tax preparation, or deliveries as a
service, and therefore these are the products you make money on, you
can't really quantify a return (profit) on investment. You can only
congratulate yourself on all the losses you didn't suffer. 

Warren Brunson


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Daniel I. Didier
Sent: Monday, January 05, 2009 11:15 AM
To: Tony; Adriel T. Desautels
Cc: pen-test list; security-basics () securityfocus com
Subject: RE: The Return on Investment of Good Security

This is a great discussion.  It has prompted me to think and rethink
this topic as it is very critical when "selling" security, especially to
upper management.  

Simply put, any time an organization allocates funding, it is making an
investment.  This is true whether the purchase is for office supplies,
insurance, network equipment, or security.  The money allocated for
these investments will provide some type of return.  It may be improved
office production, limiting liability, the deployment of new
applications, or improved security.  

If an organization decides to implement an awareness program it is
making an investment in the education of its employees.  The return is a
better educated workforce.  A likely result is a reduction in the number
of security incidents.

An organization may decide to deploy a new application that they hope
will enhance their business capabilities and provide better
functionality and efficiency.  The end result may be the ability to
realize greater profit.

Both of these scenarios provide a return on the investment.  I think too
many individuals associate the term ROI with investing wealth and
getting a return on that investment in the form of dollars.  Recently, I
did some research on this topic and wrote a paper that identified some
key points.  Please see exerts below:

*Calculating the Return on Security Investment* To provide an accurate
representation of the cost savings that may be achieved through the
implementation of intrusion detection, an organization must be able to
provide the metrics necessary to calculate a ROI.  The use of ROI is
traditionally used to compare alternative business investment strategies
and not the value of risk mitigation.  As an example, an organization
might use ROI to help decide whether to invest in developing new
technology or extend the capabilities of an existing technology.

ROI = (Expected Returns - Cost of Investment) / Cost of Investment
 
ROI is calculated by weighing the cost of a purchase against the
expected returns over its lifetime.  A simple example:  if an initial
investment of $1 million in the construction of a new factory results in
a $5 million return over the course of three years, the ROI of the three
year period is 400%. 

To calculate the return on investment for a security investment, the
traditional ROI investment model must be modified to represent the costs
and savings associated with risk mitigation.  This is accomplished
through the use of a formula for calculating the return on investment
for a security investment (ROSI):

ROSI = ((Risk Exposure *  %Risk Mitigated) - Solution Cost) / Solution
Cost  

An implementation of an intrusion detection solution will be used as a
basic example:  An organization estimates that the average cost of an
incident is $250,000.  The organization has experienced four incidents
in the last year.  By implementing a $500,000 IDS the organization
expects to prevent 75% of incidents.

Risk Exposure:  $250,000, 4x per year =$1,000,000
Risk Mitigated: 75%
Solution Cost:          $500,000

ROSI = ($1,000,000* 75%) - $500,000 = 50% $500,000

> From the calculation, the investment in the IDS appears to be favorable.
Identifying meaningful values for the factors in the equation is not a
simple task.  There are no standardized models for determining the
financial risk associated with security incidents or determining the
risk mitigation effectiveness of security solutions.  Even the methods
used to determine the solution cost may vary greatly; some may only
include hardware and software costs while others may factor in ongoing
maintenance and staffing costs.  The key to calculating accurate ROSI is
to use consistent and thorough values through the use of well-defined
risk quantification practices such as standardized business impact
analysis methodologies.

I hope this spurs some more discussion -Dan www.NetSecureIA.com


> -----Original Message-----
> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
> On Behalf Of Tony
> Sent: Sunday, January 04, 2009 2:31 AM
> To: Adriel T. Desautels
> Cc: listbounce () securityfocus com; pen-test list; security- 
> basics () securityfocus com
> Subject: Re: The Return on Investment of Good Security
>
> Adriel T. Desautels wrote:
> > Tony,
> >     While I understand and respect your point of view I disagree.
If
> > you pay for quality security services you will probably avoid
suffering
> > the damages of a successful compromise.  If you avoid that
compromise
> > then you never need to suffer damages and lose money as a result.  I

> > suppose thats not really savings, but it does prevent loss.
>
> Very true and I am not debating the need for asset protection, simply 
> the semantics of the term ROI in regards to security expenditures. I 
> just don't see how there is a return, simply a reduction of loss.
> Obviously mitigating loss can amount to almost the same thing as 
> increasing value or increased earnings when we simply look at dollar 
> amounts on a +/- basis, but it is not earnings we are looking at which

> is what ROI is focused on. Security is an expense justified to prevent

> loss, it is not the same thing as generating additional revenue. I 
> understand that when project decisions are made we have to use similar

> language as the "ROI guys" to get funding for competing projects, but 
> its not ROI.
>
> >     If on the other hand you do not use a quality service provider
then
> > you do run the very high risk of suffering a compromise.  So then
I'll
> > ask, how much are your assets worth? What is the value of your
network,
> > its systems, your emails, your customer information, your source
code,
> > etc? Is it worth more than $20,000, is it worth more than
$50,000.00?
> > If it is then why would you choose the bunk security service over
the
> > real one?
> >
> >     So the question really is, are your assets worth protecting
Tony? If
> > you're interested I can prove my point about the differences in 
> > quality.  Have my team do a followup penetration test and allow us
to
> > reproduce the threat that you'll likely face in the real world.
We'll
> > probably get in,  thank god we're the good guys right? Too bad most
of
> > the bad guys are testing you better than most of the security
providers
> > though. ;]
> >
> >
> >
> >
> >
> >
> >
> > On Jan 3, 2009, at 10:20 AM, tony_l_turner () yahoo com wrote:
> >
> > > I've always felt that any attempts to calculate ROI for security 
> > > investments led to confusion. There really is no return on
investment,
> > > just mitigated or avoided risk. Its similar to buying insurance 
> > > (although that creates a certain amount of risk transference) but 
> > > either is a completely different scenario then buying a server or a

> > > new DBMS that directly translates to increased transaction volume
or
> > > decreased contact times. ROI on security is a misnomer. It is an 
> > > attempt to justify security expenditures and while some sort of
model
> > > is needed to represent the impact for the investment and the
returns
> > > gained, ROI seems a poor choice.
> > > ------Original Message------
> > > From: Adriel T. Desautels
> > > Sender: listbounce () securityfocus com
> > > To: pen-test list
> > > Cc: security-basics () securityfocus com
> > > Sent: Jan 2, 2009 6:45 PM
> > > Subject: The Return on Investment of Good Security
> > >
> > > Latest blog entry for those who care. This one compares the Return
on
> > > Investment of good security services to the Return on Investment of

> > > poor quality security services.  As usual comments and criticisms
are
> > > welcome and appreciated.
> > >
> > > Direct link as requested:
http://snosoft.blogspot.com/2009/01/cost-of-good-security-is-fraction-
> of.html
> > >     Adriel T. Desautels
> > >     ad_lists () netragard com
> > >         --------------------------------------
> > >
> > >     Subscribe to our blog
> > >         http://snosoft.blogspot.com
> > >
> > >
> > >
> > >
> > >
> > > Sent from my Verizon Wireless BlackBerry
> >
> >
> >
> >     Adriel T. Desautels
> >     ad_lists () netragard com
> >         --------------------------------------
> >
> >     Subscribe to our blog
> >         http://snosoft.blogspot.com