Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, April 13, 2004

The New Economics of Information Security

Even for non-victims, there’s a financial hit in implementing security measures to prevent losses.  Firewalls cost money, and so do the salaries of the security professionals who manage them.  Yet, relatively little attention has been paid to the economics of information security.

Generally, we hear about the exorbitant losses in the more spectacular cases, or about totals gleaned from the annual Computer Security Institute/FBI Computer Crime Survey.

In fact, even the CSI/FBI survey doesn’t do justice to the magnitude of business loss from cybercrimes (see “The Indirect Cost Of Cybercrime,”).

You usually don’t see information-security managers applying capital-budgeting techniques, such as the net present value (NPV) or internal rate of return (IRR), to information-security infrastructure investments.

Since information-security managers go up against other department managers for a share of the budget, it’s to their advantage to catch up with their peers who specialize in capital budgeting.

“I go to security conferences where we sit around puzzling about what kind of metrics to use for measuring the results of security programs,” says Adam Stone, a security management analyst for the financial-services industry.

He says we can learn from the methods of financial, statistical, economics and securities professionals who deal with these kinds of uncertainties all the time to predict and measure business effectiveness in a rational way.

Those who do think in economic terms are grappling with ways to use ROI and NPV to provide economic justification for investments.

The “somewhat less than $100” that you get now is the NPV of the $100 you’ve been promised in a year.

So, rather than the traditional accounting notion of ROI, economists prefer to talk in terms of NPV or IRR, the latter being a time-adjusted notion of rate of return.

Posted on 04/13