{"id":656,"date":"2005-04-24T00:00:00","date_gmt":"2005-04-24T00:00:00","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2005\/04\/24\/what-price-security\/"},"modified":"2021-12-30T11:37:53","modified_gmt":"2021-12-30T11:37:53","slug":"what-price-security","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2005\/04\/24\/what-price-security\/","title":{"rendered":"What Price Security?"},"content":{"rendered":"<p>All businesses take risks &#8211; especially if they can lead to rewards.  That&#8217;s partly what return on investment (ROI) is all about.  In exchange for money spent, you hope to reap something in return.  But what about investments whose returns aren&#8217;t easily measured in dollars and cents?  For example, how do you measure ROI for security?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article looks at new ways that businesses are making the ROI case for this critical investment.<\/p>\n<p>It&#8217;s a conundrum that plagues businesses large and small as they strive to wring competitive advantage from every dollar they spend: Where is the quantifiable proof that X amount of spending will prevent Y amount of losses due to security breaches?<\/p>\n<p>Traditional cost-benefit analysis hasn&#8217;t been much help here because costs and benefits need to be measured in the same terms.  That&#8217;s easy with some straightforward revenue-enhancing investments, but not with security.<\/p>\n<p>For many companies, the benefit of their security investment often boils down to so-called &#8220;soft&#8221; returns &#8212; such as the protection of their brand image by avoiding the negative publicity associated with being hacked.<\/p>\n<p>Perhaps it&#8217;s not surprising that, in the absence of hard numbers, advocates for increased security spending sometimes find themselves falling back on fear, uncertainty and doubt &#8212; or FUD &#8212; to make their case.<\/p>\n<p>In the past few years a body of research has grown that supports the &#8212; theory that it is possible to calculate a tangible return on security investment (or ROSI).  Much of this research comes from the fields of risk assessment and risk management<\/p>\n<p>It looks at such things as cost reduction related to risk mitigation and productivity gains associated with security investment.<\/p>\n<p>Cost-benefit trade-offs Researchers at the University of Idaho assessed the cost-benefit trade-offs for a network intrusion detection system (IDS) they built.  Their goal was to prove that it&#8217;s more cost-effective to deal with attacks using intrusion detection than through other means.<\/p>\n<p>Their conclusion: An IDS that cost $40,000 and was 85 percent effective resulted in a ROSI of $45,000 on a network that was expected to lose $100,000 yearly as a result of intrusions.<\/p>\n<p>Baseline comparisons In a third study, researchers erected a network infrastructure similar to that used by companies conducting transactions over the Internet.  Performance metrics were taken to establish a baseline throughput rate.  Security measures were then applied in steps, and new metrics were taken and compared with the baseline metrics.<\/p>\n<p>Researchers found that applying appropriate security measures can create efficiency gains &#8212; that is, increased network throughput &#8212; of more than 3 percent.<\/p>\n<p>As the above examples show, calculating a tangible ROSI is math- and labor-intensive.<\/p>\n<p>Research is now available to help calculate the cost of security incidents to an organization company and the probability that a given incident will occur.<\/p>\n<p>At the same time, the threat of cyber attacks continues to grow each day, including the emergence of two overarching threats to corporate computer security: the spread of fast-spreading, &#8220;blended&#8221; threats (i.e., malicious code), and insufficient funding allocated by managers for security initiatives.<\/p>\n<p>http:\/\/www.itstrategycenter.com\/itworld\/Res\/analytics\/what_price_sec\/index.html<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-656","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=656"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/656\/revisions"}],"predecessor-version":[{"id":3143,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/656\/revisions\/3143"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=656"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}