Calculated Risk: Return on Security Investment

Sure, determining ROSI (return on security investment) is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.

1 2 Page 2
Page 2 of 2

Know how the executives want the ROSI positionedcash savings, productivity gains, increase in securityand move forward that way. Many sources also report that making the ROSI case interactive for executivesallowing them to tweak variables and watch what happens to the ROSIis by far the single most effective selling tool you can use. "The key is not to be defensive about the data, as I think IT sometimes can be," IST's Jacobson says. "Don't defend the model; explain it."

Nigriny thinks there are other, underrated sales skills CSOs need to foster in themselves. A general familiarity with accounting is priceless, he says. Also, "You have to be good at public speaking and at PowerPoint engineering. If you're speaking to the CFO, expect him to do some number crunching; have your numbers ready for him. The CEO? The executive summary is far more important. Talk to the CFO ahead of time; you'll have his support, and the CEO won't have to sit through the numbers discussion," says Nigriny.

We weren't kidding when we said this is laborious, intensive work. To Nigriny, ROSI is fractallike, in that the closer he examines his situation, the more intricate it becomes. "Every time I thought I had it covered, a raft of new variables came up. I've just got this swag of numbers here I have to deal with," a nonplussed Nigriny says.

It's up to the CSO to set the thresholds of what's really needed for a particular scenario. You can make ROSI as simple or as complicated as you think is necessary, and an obvious tenet that emerges is that a simpler ROSI will be somewhat less accurate than a detailed ROSI, but the detailed version will require ever more legwork.

Step 3: Do the math

In the end, the math is simple. You subtract cost from benefits. A positive number is good: a return on investment. A negative number is bad: You're spending more than you're getting.

Of course, the math behind the variables and coefficients that go into the costs and benefits is massively complex. Fortunately, if you've got raw data from your legwork, someone else has done or will do the difficult computations for you. Still, there are some basic risk computations you should know. Here they are:

Annual Loss Expectancy. ALE is the foundation of risk assessment. It is what it sounds like: how much money you expect to lose per year due to some sort of security incident. Note that this is different than the raw cost of an incident (which, remember, you should always keep as a baseline). It's actually the raw cost times the probability of an event in the next year. So the ALE of a security breach that costs $1 million and has a 40 percent chance of happening is:

Incident cost X Probability of incident = ALE

$1,000,000 X 0.4 = $400,000

Modified ALE. mALE is the same equation, but with the probability affected by mitigation measures you take. Imagine the above scenario were a virus attack. You introduce antivirus software that cuts in half the probability of a successful attack, to 20 percent. Or, you start an awareness program that reduces probability 5 percent. (These are arbitrary, but if you've done the legwork from Step 2, you'll have real numbers to plug in here.) Then:

Probability X Mitigation A = Modified probability

Probability X Mitigation B = Modified probability

A: 0.4 X 0.5 = 0.2

B: 0.4 X 0.95 = 0.38

You must consider each mitigation separately. Once you've gone through the process for several types of mitigation, you can pick which ones you feel are most important or provide the best return. (Of course, some mitigation measures will have overlapping effects. We're not putting that into this math.)

At any rate, adding mitigation measures produces modified ALEs:

Incident cost X Modified probability = mALE

A: $1,000,000 X 0.2 = $200,000

B: $1,000,000 X 0.38 = $380,000

So, in each case you've reduced your ALE.

ALE - mALE = Savings

A: $400,000 - $200,000 = $200,000

B: $400,000 - $380,000 = $20,000

This is the step at which executives will want to interact with the model, seeing how different measures that they take affect their mALE.

Now, to get a basic return, you simply subtract the cost to implement each mitigation measure from your savings on your mALE by implementing the mitigation. Let's say mitigation A, antivirus software, costs $120,000. And mitigation B, an awareness program, costs $8,000. Then:

Savings - Mitigation cost = ROSI

A: $200,000 - $120,000 = $80,000

B: $20,000 - $8,000 = $12,000

Both mitigation measures provide a ROSI (if the final number came out negative, then you're spending more than you're getting back). Awareness actually has a higher return; or put another way, you get the most bang for the buck. (Your savings are 2.5 times what you spend, whereas in the antivirus case, they are 1.7 times what you spend.)

This is a simple model. No doubt CSOs, consultants and vendors with their own ideas will hue and cry that we've presented ROSI in this particular, facile way. But we're only trying to provide a guiding primer. To attempt more in this space would be a fool's errand. (For example, we didn't even approach the concept of Net Present Value, which takes into account costs and benefits over time as if all the money were here now. Ask your CFO.)

Don't take this as a final "how to" but rather as a starting point to develop your own ROSI. But don't forget: The most important message is to do the homework. Collect as much data as possible so that there's plenty to crunch.

ROSI is empirical, but in many ways it's emotional, believe it or not. It is about coming up with numbers, but those numbers are only useful in the context of how executives feel about them. ROSI is risk economics that paints a picture of your organization's attitude toward security. What level of risk is the enterprise comfortable with? How does the company prioritize its limited resources? Is technology or awareness more valuable as a tool? Suddenly you're answering business questions based on the security numbers.

"The numbers right now show patch management automation doesn't provide a positive return for this organization," Nigriny says. "So why would I do it? It just doesn't make sense." Just by coincidence, it seems, ROSI has aligned Nigriny with the business.

Copyright © 2002 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)