Coming up ROSI

For years, the return on security investment (ROSI) hasn’t been calculated as much as it has been postulated. A positive ROSI was “nothing happened.”

That fares poorly in budget reviews. One can almost hear the CEO barking, “If nothing happened, why spend more?” The CFO? Forget it. She wants a cost-benefit analysis, which is a problem because with security, it’s an apples and oranges comparison. How so? With security, costs are in dollars; benefits are not. If you calculated ROSI as a crude ratio, Cost divided by Benefit, you’d end up with a fraction like:

The benefits of investing in security have always been characterized as mushy concepts that live far from the bottom line. Successes like avoiding bad press, or not losing productivity to a virusthese are important but they don’t translate into profits. The best argument you could make is that you may have prevented an unknowable amount of losses. Think of it this way: If you had to pay $100 for the right to access your seatbelt every time you got in a car, but you never got in an accident, what’s your ROSI (Return On Seatbelt Investment)?

Now, a triad of brainy fellas from Stanford, MIT’s Sloan School of Management and security consultancy @Stake have assigned a valid, numerical ROSI. They formally studied projects based on when secure practices were introduced into the software engineering process.

It turns out, the earlier you build in security analysis and security engineering, the higher the ROSI. It breaks out like this:

@Stake Labs has also conducted research which demonstrates, at least to their satisfaction, that security can create efficiency gains greater than 3 percent when systems are configured correctly and unused processes are shut off to maximize a machine’s security and performance.

It appears that we are on the cusp of a sort of golden age of research that will define ROSI in very specific quantifiable terms. Already, @Stake is working on two more ROSI scenarios, one that determines the return on investment when companies harden operating systems to fit their needs specifically and another that will determine the value of incident readinesslike when department stores determined there was value in the expensive process of putting in sprinkler systems.

The most encouraging sign of all is that none of this research would be possible without some forward-looking CIOs who are willing to participate in the processto open up about security because they realize there’s value in it.

“It requires us to have good relationships with customers to get the detailed data we need,” says Chris Wysopal, @Stake’s director of research and development. “We get quantifiable results from these customers and then, the more skeptical customers will start to get it.

“But the ones we’re working with now already get it. They get excited about this, because they know with these statistics, they can communicate to upper management.”

It’s rare in information security these days to say things are looking up, but with ROSI, they are. How about that?