Case Study

Value Made Visible

How American Water's Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time

By Scott Berinato

Page 4

Examples for the Formula

Whether it's based on actual events or potential futures, the Value Protection ratio gives security officers a real metric to present and it gives executives a simple, clean picture of security investments' relative value. Here are three examples of how it could be used by an organization with a normal operations cost (N) of $1 million:

Example 1. A medium-level virus outbreak costs $70,000 across all operations.

VP = 1,000,000  70,000 / 1,000,000 = 0.93

Larson calls a 0.9 ratio "exceptional." A Value Protection ratio of 0.93 probably doesn't require more investment or lowering of event impact, especially if trying to increase the ratio would take away from investment in other areas where Value Protection isn't as strong.

Example 2. An insider fraud attack causes $500,000 in response and recovery costs, lawyers' fees, insurance costs and unrecouped stolen goods.

VP = 1,000,000  500,000 / 1,000,000 = 0.5

In rare instances where high risk is tolerable, such as a high-level R&D project, protecting half the value of an investment might be acceptable. But in most cases, value protection of 0.5 is "usually pretty bad," Larson says. And that makes sense: It means your security is a 50/50 proposition.

Example 3. A network vulnerability leads to customers' personal data being stolen, resulting in $1.2 million in damages from response and recovery, lawyers' fees, government fines and other ancillary costs, as well as a significant drop in stock value after negative publicity.

VP = 1,000,000  1,200,000 / 1,000,000 = -0.2

Negative ratios are a clear sign that an organization doesn't have the proper information security defenses in place, as it means that security events have or potentially will cost more than operations is spending to stop them. Immediate steps should be taken to fortify the information security controls.

"Excellent" Value Protection might be, say, from 0.8 to the essentially unachievable 0.99; "good" Value Protection might be from 0.6 to 0.8 and so forth. While these are some generally definable ranges, it's important to remember that there are no right answers. All the Value Protection ratio can do is define where you stand, or would stand after a certain investment and certain negative events. After that, it's in the business process owners' hands. They own the risk, and it's up to them to decide if the ratio is "right" for your organization.

Like Larson said, it's not complex. But he did say it was "long." For the sake of getting the basic idea down, we skipped all that. But now we'll go into what makes his formula longnamely, defining normal operations costs and event impact.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors