Security Value Made Visible

How American Water's Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time

Thank God for the Welchia worm—for at least one company, it helped clarify the value of security.

In retrospect, says Bruce Larson, security director at American Water, it was that particular piece of malware that helped to legitimize his information security program.

Just before Welchia hit in 2003, Larson had gained responsibility for security operations at a partner water company in England, RWE Thames. (Both American Water and RWE Thames were part of the water division of RWE AG, a German multiutility company; that water division is now being divested.) Larson wanted to export to RWE Thames processes and products he used at American Water (including standards for a consistent architectural reference model, intrusion and anomaly detection systems from Arbor Networks, vulnerability assessments and identity management tools, among others). But he'd have to prove the benefit of making the investments required to bring Thames's security up to American Water's level, since Thames was not consistent in using these tools and practices.

Also see The Metrics Collection

Enter Welchia. It was an odd, antihero kind of worm that attempted to infect a computer in order to remove an older worm, Blaster, and then update the system's defenses. Whatever nobility it aspired to, Welchia nevertheless was a virus that could break computers and, like all worms, disable networks by jamming them up with its own traffic as it attempted to propagate itself.

"Welchia affected both of our enterprises on the same day near the same hour," Larson says. "We were able to measure the differential in impact between the two." The gap was stark: At American Water, 19 computers were initially infected, and response started in minute one. After two weeks, just 100 computers had been infected and all were fixed. Welchia resulted in zero days of downtime and required 40 man-hours of response and recovery time.

At RWE Thames on the other hand, "Every computer that could be infected was," Larson says. "Every business subnet was offline. The routers clogged, and the networks went dark, and we had to manually rehabilitate the operation." RWE Thames endured eight days of total or partial downtime and, compared with American Water's 40 man-hours of recovery, RWE Thames needed thousands of man-hours.

Not surprisingly, executives across the pond bought in to American Water's infosecurity program. What's more, Larson also found that American Water's effective defenses gave him a baseline, a normal cost of operations, to measure against. "Before that, we were trying to use ROI to justify funding. After Welchia, we realized we really could measure how much value we protected. This is hard evidence of the differential between good security and OK security," he says. "It's perhaps unique to have hard data like this, but we do. We have the metrics. So, in a twisted sort of way, thank God for Welchia."

The event served as a catalyst in the ongoing development of a key metric that Larson uses to justify his existence to the business. He calls it the Value Protection metric.

Value Protection is Larson's attempt to overcome security's classic problem of seeming like nothing but a drain on the business. "Look, business units do one of two things: increase revenue or increase efficiency," Larson says. "We don't bring in revenue. So then you say, 'OK, then you're making the business more efficient, right?' Well, no, we don't do that either. So, if those are the two possible goals of a business unit and we don't fulfill either, then I'm confused.

"So we came up with Value Protection," Larson says. "You spend time and capital on security so that you don't allow the erosion of existing growth or prevent new growth from taking root. The number-one challenge for us is not the ability to deploy the next, greatest technology. That's there. What we need to do now is quantify the value to the business of deploying those technologies."

Also see The Value Protection Cheat Sheet

"It adds value; we're very supportive of it," says Steve Schmitt, American Water's vice president of operations, of Larson's Value Protection metric. For a while, people were just trying to create reasonable security, Schmitt says, "but now you need something moresomething that proves the value, and that's what Bruce developed. Plus, as a secondary benefit, it's getting us better visibility from business owners and partners on risks and better ways to mitigate the risks."

Here, Larson shows how he uses the Value Protection metric to that end.

Value Protection Defined

By Larson's own admission, figuring out the Value Protection metric is "not complex, just long," by which he means it will require some legwork, meetings with business unit leaders and canvassing for data. The basic Value Protection metric is a ratio that looks like this: Value Protection = Normal Operations Cost ($) Event Impact ($) / Normal Operations Cost ($). In formula:

VP = N E / N

Seems simple enough. Larson's metric just subtracts the cost of security events from the normal cost of doing business, then divides by that same operations cost to get a ratio. The point of making Value Protection into a ratio is that it gives Larson a simple scale to present to executives. On this scale, a ratio of one would be perfect. (Imagine a security event with zero costs and then plug that variable into the formula: N 0 / N equals N / N, which equals 1.)

But events that have zero impact aren't really events, so a Value Protection ratio of one is really just an idealized fiction. It's better to think of Value Protection as a number approaching one, and to think of the information security department's job as bringing that ratio as close to one as possible. Strictly looking at the formula's variables, there are two ways to move the Value Protection ratio closer to one: minimize event impact or increase normal operations costs. That is, you either find ways to make your E smaller or your N larger.

Increasing the N isn't always an option. Even if it is an option, it might not be the one you want to lead with. After all, if you can lower your E without increasing spending, that's both more efficient for you and more desirable to your bosses.

And in fact there are ways to finesse the Value Protection ratio closer to one without increasing spending. Take security information management (SIM) systems. Traditionally, SIMs were used to look for network traffic anomalies and then raise alarms when something suspicious came across the wire. But in the post-Sarbanes-Oxley world, SIMs have been extended to become compliance tools, using the logging capability they already possessed to track network activity. With little or no increase in operations costs, information security managers have lowered their security event costs, since compliance fines could be minimized with proper logging.

"We could be more productive. Any time I hear someone say, 'Oh, that tool paid for itself in a week just with the productivity gains alone,' I'm skeptical."

- Bruce Larson

Managing information security by plugging data from real events into the Value Protection formula is the ideal situation. Larson was lucky enough to have the real thing, the Welchia worm, to combat. That this real thing hit in two distinct geographies, which he could then compare, made him even luckier. It was a stark case, which Larson says showed RWE Thames suffered "at least 100 times the impact" that American Water suffered.

But not everyone has that kind of detailed comparative or historical data. (Larson will continue to collect such data, and both he and VP of Operations Schmitt say they will continue to refine their use of Value Protection as a metric.)

Value Protection can also be used as an investment analysis tool. In that scenario, a CISO would aggregate the total expected negative event impact over the life of a particular investment and then subtract that from the operating costs over that same period of time to get an expected Value Protection ratio for any given potential investment or set of investments. (Calculating the event impact costs for events that haven't happened presents a challenge, and requires intense dialogue and collaboration between the security department and business unitsmore on this later.)

Examples for the Formula

Whether it's based on actual events or potential futures, the Value Protection ratio gives security officers a real metric to present and it gives executives a simple, clean picture of security investments' relative value. Here are three examples of how it could be used by an organization with a normal operations cost (N) of $1 million:

Example 1. A medium-level virus outbreak costs $70,000 across all operations.

VP = 1,000,000 70,000 / 1,000,000 = 0.93

Larson calls a 0.9 ratio "exceptional." A Value Protection ratio of 0.93 probably doesn't require more investment or lowering of event impact, especially if trying to increase the ratio would take away from investment in other areas where Value Protection isn't as strong.

Example 2. An insider fraud attack causes $500,000 in response and recovery costs, lawyers' fees, insurance costs and unrecouped stolen goods.

VP = 1,000,000 500,000 / 1,000,000 = 0.5

In rare instances where high risk is tolerable, such as a high-level R&D project, protecting half the value of an investment might be acceptable. But in most cases, value protection of 0.5 is "usually pretty bad," Larson says. And that makes sense: It means your security is a 50/50 proposition.

Example 3. A network vulnerability leads to customers' personal data being stolen, resulting in $1.2 million in damages from response and recovery, lawyers' fees, government fines and other ancillary costs, as well as a significant drop in stock value after negative publicity.

VP = 1,000,000 1,200,000 / 1,000,000 = -0.2

Negative ratios are a clear sign that an organization doesn't have the proper information security defenses in place, as it means that security events have or potentially will cost more than operations is spending to stop them. Immediate steps should be taken to fortify the information security controls.

"Excellent" Value Protection might be, say, from 0.8 to the essentially unachievable 0.99; "good" Value Protection might be from 0.6 to 0.8 and so forth. While these are some generally definable ranges, it's important to remember that there are no right answers. All the Value Protection ratio can do is define where you stand, or would stand after a certain investment and certain negative events. After that, it's in the business process owners' hands. They own the risk, and it's up to them to decide if the ratio is "right" for your organization.

Like Larson said, it's not complex. But he did say it was "long." For the sake of getting the basic idea down, we skipped all that. But now we'll go into what makes his formula longnamely, defining normal operations costs and event impact.

"Normal" Defined

When trying to define normal operations costs, Larson enlists those he's trying to protect. "So if it's a customer service director with a call center, I say, 'What's your comfort level for service interruption?'" Larson explains. Notice he's mentioning a security event, and he's asking the stakeholder what impact he would be comfortable with. "So the call center guy says he's comfortable with so many minutes of interruption, which would cost whatever," Larson says. "Then I can say, 'These are the investments I need to make to ensure that level of service.'"

Larson is being canny here. He's deferring to the business process owners on what kind of pain, what event impact E, they are willing to endure. Once he has that variable, he can work with the Value Protection ratio to define what he'd need to spend to provide that level of protection.

Say the call center manager will tolerate 20 minutes of downtime a year, which would cost $20,000. And then say Larson is comfortable with a Value Protection ratio of 0.75 or higher.

VP = N E / N

VP = 0.75 and E = $20,000, so 0.75 = N 20,000 / N

1 2 Page 1
Page 1 of 2
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!