Case Study

Value Made Visible

How American Water's Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time

By Scott Berinato

Page 6

Event Impact Defined

How would Larson and that call center manager settle on $20,000 as their event impact E in the previous example? Well, Larson has a specific way to calculate this too. Event impact E is the sum of five types of costs that result from an event. Those cost types are: response costs (Rp), recovery costs (Rc), cost of penalties (Pn), costs associated with lost revenue (LR) and costs related to a damage in perception or reputation (Pc).

If you substitute E with the costs that compose it, the Value Protection ratio looks like this:

VP = N  (Rp + Rc + Pn + LR + Pc) / N

About these costs, Larson says it's first important to "measure what you can, and don't measure what you can't." Not every event will carry all of the costs. And not every cost will be quantifiable, since some costs are hidden, delayed or just plain hard to figure. For example, in the Welchia case, no penalties were levied, so the Pn variable drops out of the equation.

Welchia didn't result in a change in perception of American Water or RWE Thames, either. But a case like ChoicePoint's notorious security breach did. So is it included? Not necessarily. Larson says this variable, Pc, is one of the hardest to quantify. And unless he has a solid number, say a drop in stock price, or specific customer losses directly attributed to negative publicity, he leaves it out. Larson is equally leery of other tabulated costs that he says others don't hesitate to throw into their metrics. Productivity losses, which would fall into recovery costs, is one of them. "What if we lost e-mail for the day?" Larson asks. "We could be more productive. Any time I hear someone say, 'Oh, that tool paid for itself in a week just with the productivity gains alone,' I'm skeptical." Likewise for lost revenue. Larson says that just because orders are lost to downtime doesn't mean those orders are lost forever.

Larson refuses to fudge it. He quantifies only what he and the business process owner can pin down with some certainty. With the fuzzier costs, he and the process owners might assign an agreed-upon cost that will carry an asterisk. For example, with lost revenue, he might ask the business process owner how many sales were missed during downtime, and then what percentage were likely recouped later. Then together they adjust their assigned cost. "It's very necessary to always be coordinated," Larson notes.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors