Calculated Risk: Return on Security Investment

Sure, determining ROSI (return on security investment) is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.

By Scott Berinato

Page 4

You get the idea. ROSI is labor-intensive. In his partial history of the patch management ROSI above, though, Nigriny demonstrates much of what you need to do to prepare to use ROSI. Here it is:

Find and use data that's out there. The most common misconception CSOs have about ROSI is that there isn't any data available to even start an ROSI study. There's a ton of it, and the body of usable statistics is growing. Some is free for the taking, other data you might have to pay for, but the actuarial figures do exist. (CSOs who come from a physical security world probably know this, as they've dealt with risk of theft, natural disasters and so forth for a long time and have sought out the data on the probability of such events.)

CERT and Riptech, for example, have combed over data to discover some incredibly useful facts. They measured attacks per company, which right now come in at a rate of 2,112 attacks over two years. What's more, at current growth, that number will grow to 8,403 attacks per company over two years. That's a fourfold increasewhich strengthens the ROI argument. Mitigation now will protect against a growing threat. In addition, CERT built some complicated math that shows security spending is a diminishing-return game; that is, as you spend more, the probability of attack goes down but at an ever-slowing rate. By crossing this data with what are called indifference curves (too complicated to get into here), you can actually determine a kind of sweet spot of security spending for your organization.

Consultancy @Stake has published well-known numbers that prove that the earlier you build security into applications, the higher the return. The company's researchers now believe they probably lowballed their 21 percent ROI for incorporating security from the start.

You need to cull as much of this kind of data as possible and keep it in your toolbox because the more you set out to show returns on security, the more you'll be coming back to these kinds of figures.

Canvass to get what's not out there. If the first piece of advice is "go to the library," then this is "play detective." You must develop certain numbers, like the cost of incidents to your organization and the probability that a given incident will occur. While these numbers can be based on research, to hone them for your situation requires canvassing of the relevant playersincluding business managers within your company, peers at similar companies, economists, consultants and so on.