This article looks at new ways that businesses are making the ROI case for this critical investment.
It’s a conundrum that plagues businesses large and small as they strive to wring competitive advantage from every dollar they spend: Where is the quantifiable proof that X amount of spending will prevent Y amount of losses due to security breaches?
Traditional cost-benefit analysis hasn’t been much help here because costs and benefits need to be measured in the same terms. That’s easy with some straightforward revenue-enhancing investments, but not with security.
For many companies, the benefit of their security investment often boils down to so-called “soft” returns — such as the protection of their brand image by avoiding the negative publicity associated with being hacked.
Perhaps it’s not surprising that, in the absence of hard numbers, advocates for increased security spending sometimes find themselves falling back on fear, uncertainty and doubt — or FUD — to make their case.
In the past few years a body of research has grown that supports the — theory that it is possible to calculate a tangible return on security investment (or ROSI). Much of this research comes from the fields of risk assessment and risk management
It looks at such things as cost reduction related to risk mitigation and productivity gains associated with security investment.
Cost-benefit trade-offs Researchers at the University of Idaho assessed the cost-benefit trade-offs for a network intrusion detection system (IDS) they built. Their goal was to prove that it’s more cost-effective to deal with attacks using intrusion detection than through other means.
Their conclusion: An IDS that cost $40,000 and was 85 percent effective resulted in a ROSI of $45,000 on a network that was expected to lose $100,000 yearly as a result of intrusions.
Baseline comparisons In a third study, researchers erected a network infrastructure similar to that used by companies conducting transactions over the Internet. Performance metrics were taken to establish a baseline throughput rate. Security measures were then applied in steps, and new metrics were taken and compared with the baseline metrics.
Researchers found that applying appropriate security measures can create efficiency gains — that is, increased network throughput — of more than 3 percent.
As the above examples show, calculating a tangible ROSI is math- and labor-intensive.
Research is now available to help calculate the cost of security incidents to an organization company and the probability that a given incident will occur.
At the same time, the threat of cyber attacks continues to grow each day, including the emergence of two overarching threats to corporate computer security: the spread of fast-spreading, “blended” threats (i.e., malicious code), and insufficient funding allocated by managers for security initiatives.
http://www.itstrategycenter.com/itworld/Res/analytics/what_price_sec/index.html