RE: Update: Money seen as biggest obstacle to effective IT security

[InfoSec News <isn () c4i org>]

Forwarded from: Nick Owen <nowen () wikidsystems com>

</lurk>

> "Return on investment appears to have fallen out of favor as a
> measure of the effectiveness of information security spending," Mark
> Doll, Americas director of Ernst & Young's Security Services
> division, said in a prepared statement. "It looks like we need to
> find a credible alternative to conventional ROI approaches in order
> to secure funds for the information security function."

I've been chewing on some ideas in this regard.  Any feedback is much
appreciated.

ROI is an incomplete measure at best.  It provides an initial glimpse
of the potential impact a project might have.  It is better to use a
measure that includes the actual cost of capital, such as Net Present
Value or economic profit (EVA is the trademarked term).

To give an example: two projects - 1,000,000 investment with a
100,000/year return or 100,000 investment with a $10,000 return.  ROI
says do both. However, if the first project is riskier, it should be
capitalized at a higher rate of return.  Both NPV and economic profit
calculations will show this.

To me, most security projects are focused on reducing the cost of
capital, like insurance (and could be replaced by insurance).

Break security projects down into two categories: enterprise-wide &
project focused.  If you're protecting the enterprise or an enterprise
asset such as a customer database, you're helping to decrease or
maintain the enterprise's cost of capital.  A significant breach will
have a negative impact on the value of the firm (see: The Effect of
Internet Security Breach Announcements on Market Value of Breached
Firms and Internet Security Developers
http://www.utdallas.edu/~huseyin/eventstudy.PDF) or just think of CD
Universe).  The new California law SB 1386 will create more awareness
of this effect.

If you're part of a bricks & mortar firm starting a web commerce site
targeting Internet riches, that project should have a much higher cost
of capital than the rest of the firm.  Security measures will help
reduce the cost of capital for the project.  If you reduce the cost of
capital, the inherent value of the cash flows increase.

That being said (and this will sound strange coming from a vendor) one
way to assure project success is to invest smaller amounts upfront.  
This is typically true in IT and is probably true in security.  
Over-investing upfront is problematic.  Economic profit analysis shows
this clearly - think of it like a credit card bill that you can never
pay down the balance: the interest charges just keep racking up.  
Best to focus on projects that also reduce costs and can be measured -
then perhaps target some more fuzzy return projects.

Nick Owen

--
Nick Owen
CEO
WiKID Systems, Inc.
404-879-5227
nowen () wikidsystems com
http://www.wikidsystems.com
The End of Passwords
--



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.