RE: Value of IDS, ROI

[Federico Lombardo <root () grandistazioni it>]

Hi all,

I'm terribly sorry for this type of quoting, but It's the only way I can manage from my pocketpc.
For first I think that ROI is a wrong economic indicator to manage and maybe justify your budgeting operations or 
investments in IT Security.

When using approaches based on economic indicator we must use the appropriate ones.
ROI, for me, is too simple and discrediting for analyzing an IDS/IPS based investments.

The reason is quite simple; I know that this is a techical list and not an economic one, but I'll try to explain as 
simple as I can.

The ROI doesn't analyze two important things when calculating this kind of investment:

1) price of the invested money
2) THE RISK OF THE INVESTMENT.


Furthermore we must understand that IDS/IPS rarely are used to "CREATE BUSINESS" in a company non-it but 
profit-oriented, they're usually made for countermeasure and/or forensic analisys.

So another IMPORTANT point of view consist in discriminating TWO kind of companies:

1) which use IDS/IPS for CREATING MONEY; such as security consultants or IT Security based enterprises
2) which user IDS/IPS as an "addendum" to the company' IT Services making them "better"

Another important concept is that IDS, is a "semi-intangible object".
Is easier for us to calculate the ROI for a Server or for a Switch, they are "physical", so, for example, I introduce 
the "New-Server" in my scenario and the better velocity may be the real-reason that justify my investment. 
It's difficult to say the same thing for an IDS/IPS. For these we usually listen an investment reason such as "if we 
don't use and IDS/IPS our network in danger"
So from here, only a good risk analisys can justify the investment, not the IDS Product.


So the only theory applicable, as soon as I know, for this king of investment is the "VALUE ADDED THEORY".
In an accounting analytics manners we maybe use the "payback period" as the only arithmetical indicator.



The economic indicators that better explain the ROSI (Return on Security Investment) are the financial ones, not the 
arithmetical ones.

So, for first, in the "VALUE ADDED THEORY" we can begin to "think" using these indicator:

+ discounted cash flow analysis (DFC)
+ net present value (NPV)

Net Present Value best tie the investment decision to the company objectives, for IT-Secyurity enterprises.
NPV furthermore, is able to compare different investments of the same kind.



So, on the same way we can discuss the BEST ECONOMIC INDICATOR for these kinds of investments the EVA [TM Stern Stewart 
& Co].
EVA is a Performance indicator, It explains the effectiveness of the invested money or the "super-yeld" procuced using 
the risk capital.
Applying it to an entire company or a single Organization/production Unit, is simple to understood how and when an 
investment add or destroy value.


EVA = NOPAT œ Capital charge

NOPAT = net operating profit after taxes



These is my 5 Cent, please don't blame me for this brain storming, any opinions will be appreciated, don't esitate to 
contact me in private way :-)

Best Regard

Lombardo Federico, IT Security
Grandi Stazioni S.p.A.
Italy

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------