Return on security investment

  • Article

Soon I will begin a research project into quantifying and expressing return on security investment. From conversations I've had with many conference attendees, there's a need for developing a basic understanding of how to measure ROSI so that budget money for security magically becomes unlocked. I plan to assemble a presentation on this for 2006's events.

If any of you have personal thoughts on ROSI, or some tips that work for you, please comment here or email me (steve.riley@microsoft.com). I'd love to include your ideas. Thanks!

Comments

  • Anonymous
    January 03, 2006
    Performance review time already, Steve? :-)
  • Anonymous
    January 03, 2006
    I think you are trying to do the impossible. I will be surprised if you could pull of such a document. I mean what is your companies reputation worth if you have to disclose that you have compromised a lot of personal information? Just look at the company cardsystems that exposed 40m credit card numbers, they lost their relationships with the credit card companies. As you all have said security is spending a lot of money so nothing happens. Either your boss and/or company understands that or they do not. I have worked for companies that understand this and those that don't and I think the only way to try and convince those that don't is with LOTS and LOTS of FUD (fear uncertainty, and doubt).

    Usually I try to stay away from FUD because I think IT guys use it too often, but in the case of security it's the only way to convince management of the need for budget dollars. Lots of examples with the idea "you don't want this to happen to you do you?" Here's how we can prevent it. I like Jesper's comment that of Security, usable, and cheap you can pick two.

    So my advice include in your presentation lots of stories and examples and make some up if you can't find them ;-)
  • Anonymous
    January 04, 2006
    The comment has been removed
  • Anonymous
    January 04, 2006
    The comment has been removed
  • Anonymous
    January 04, 2006
    So what, then, do you base your business decisions on? You can either come up with numbers that have some bearing on reality, but may be significantly wrong, or you can just throw darts at a board. I'd choose the first, because you can tweak the model when you find out where it doesn't match. Ignoring Lewis Carroll, a watch that loses a minute a day is more use to me than one that is stopped.
  • Anonymous
    January 04, 2006
    Why, we just buy whatever the vendors try to sell us of course!

    To figure ROSI, as you've already stated, you need to know the A) your cost, B) the cost of bad event, and C) the probability of bad event happening if you don't spend the money. (A more thorough look would also include other factors like the probability of bad events happening if you don't spend the money -- it's probably not 0 -- and the lost productivity from implementing the security measure in question.)

    My contention is that you probably don't know B and you definitely don't know C. And a difference between .01% probability and .02% probability is equivalent to doubling the cost of the product. To make up numbers and then pretend that you have the magic ROSI is dishonest. And it can cost you a lot of time and money to come up with your numbers.

    I think a more reasonable approach is to spend your money to mititgate the most likely threats.
  • Anonymous
    January 05, 2006
    The comment has been removed
  • Anonymous
    January 05, 2006
    The comment has been removed
  • Anonymous
    January 05, 2006
    "Last word in" post()

    (    )Alun impression

    IT staff makes the most use of themselves creating and later dismissing/solving FUD problems. It takes some effort to create easily solved problems that still require a few weeks/months of "implementation." But usually, that's easier that actually doing your job. Besides, IT staff exist in the background unless they are fixing something. You can't get a raise if you don't get noticed.

    Security is really the best target for FUD too. Reboot a few servers in the middle of the day, spend a few more days in the server room. Then proclaim that the hackers have been expelled and that while working on the system you found 3 more holes the last IT guy left open.


    Just reply to this thread if you need any more tips.
  • Anonymous
    January 06, 2006
    Hi, Steve - Check out my blog at http://spiresecurity.typepad.com/spire_security_viewpoint/ for some details on ROSI and ROI.
  • Anonymous
    January 06, 2006
    Pete, I crown you the smartest guy that's replied to this topic. But I still don't understand/agree with your approach to calculating the probability of something bad happening.

    I think your premise that "We know when a compromise occurs because it is self-defining" is flawed. Let's say a user's password is compromised. Certainly we can audit successful and unsuccessful login attempts. But how will we know if an unauthorized person logged in, unless they start doing other obvious damage? Will you be able to detect data theft? And how do you proactively (please don't flame more for that, n0one) calculate probabilities of things haven't to you yet?

    If you estimate something as 2 in a million and it's really 1 in a million, it's still the equivalent of the cost of the security vendor charging twice as much for their product. And a 100% increase or more in cost makes it difficult to even rank competing security measures by ROSI, never mind figuring out with certainty what it is.

    I think we've got to get these probabilities as accurate as a weatherman predicting rain before ROSI can become a useful tool.
  • Anonymous
    January 06, 2006
    Which isn't that difficult thanks to http://www.noaa.gov/rosi
  • Anonymous
    January 09, 2006
    The comment has been removed
  • Anonymous
    January 15, 2006
    The comment has been removed
  • Anonymous
    January 16, 2006
    Steve,

    I invite you to review the following methodology that we use to address part of the ROSI dilemma: http://www.css-security.com/downloads/security_kaizen_faq.pdf

    I hope it helps with your research.
  • Anonymous
    February 23, 2006
    Hi,
    I yust read the thread and like to state the following:
    Some of you have correctly stated, that it is quite hard to predict on future harms and what they might cost you.
    In my oppinion, there is a whole business making money with predictions like that: insurance companies. They predict what it will cost to fix all damaged cars in the next year an charge me money for that. And in the end of the day, the insurance earned loads of money.  I think, if we want to get close to a satisfying accurate ROSI, we should take a look to what insurances do to predict future damages and what they might cost you.