Calculated Risk: Return on Security Investment

Sure, determining ROSI (return on security investment) is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.

the probability affected by mitigation measures you take. Imagine the above scenario were a virus attack. You introduce antivirus software that cuts in half the probability of a successful attack, to 20 percent. Or, you start an awareness program that reduces probability 5 percent. (These are arbitrary, but if you've done the legwork from Step 2, you'll have real numbers to plug in here.) Then:

Probability X Mitigation A = Modified probability
Probability X Mitigation B = Modified probability
A: 0.4 X 0.5 = 0.2
B: 0.4 X 0.95 = 0.38

You must consider each mitigation separately. Once you've gone through the process for several types of mitigation, you can pick which ones you feel are most important or provide the best return. (Of course, some mitigation measures will have overlapping effects. We're not putting that into this math.)

At any rate, adding mitigation measures produces modified ALEs:

Incident cost X Modified probability = mALE
A: $1,000,000 X 0.2 = $200,000
B: $1,000,000 X 0.38 = $380,000

So, in each case you've reduced your ALE.

ALE - mALE = Savings
A: $400,000 - $200,000 = $200,000
B: $400,000 - $380,000 = $20,000

This is the step at which executives will want to interact with the model, seeing how different measures that they take affect their mALE.

Now, to get a basic return, you simply subtract the cost to implement each mitigation measure from your savings on your mALE by implementing the mitigation. Let's say mitigation A, antivirus software, costs $120,000. And mitigation B, an awareness program, costs $8,000. Then:

Savings - Mitigation cost = ROSI
A: $200,000 - $120,000 = $80,000
B: $20,000 - $8,000 = $12,000

Both mitigation measures provide a ROSI (if the final number came out negative, then you're spending more than you're getting back). Awareness actually has a higher return; or put another way, you get the most bang for the buck. (Your savings are 2.5 times what you spend, whereas in the antivirus case, they are 1.7 times what you spend.)

This is a simple model. No doubt CSOs, consultants and vendors with their own ideas will hue and cry that we've presented ROSI in this particular, facile way. But we're only trying to provide a guiding primer. To attempt more in this space would be a fool's errand. (For example, we didn't even approach the concept of Net Present Value, which takes into account costs and benefits over time as if all the money were here now. Ask your CFO.)

Don't take this as a final "how to" but rather as a starting point to develop your own ROSI. But don't forget: The most important message is to do the homework. Collect as much data as possible so that there's plenty to crunch.