It is tough for information security (infosec) managers and chief information security officers (CISOs) to make a case for investment in information security, as it requires calculating the returns on security investment,
Risk-oriented thought process for ROSI calculation
Measuring return on security investments is difficult because it is akin to an insurance policy, which is an investment for an event that may or may not take place. In order to calculate return on security investment, an infosec manager or a CISO should know what to measure.
For instance, if your antivirus blocks 30 viruses in a day, is it good or bad? In this case, the return on security investments cannot be measured in terms of point implementation or the product, but should be calculated on the basis of the risk it is addressing. Hence, instead of comparisons of the antivirus with other similar products in the market, the emphasis should be on measuring its effectiveness in mitigating the risk. It is important to fundamentally change the thought process from being product oriented to risk oriented, while calculating return on security investments.
To derive the required return on security investments, organizations currently use concepts like Single Loss Expectancy (SLE), Annualized Loss Expectancy (ALE), and Annualized Rate of Occurrence (ARO), which help in quantifying the impact if an asset is lost or damaged, frequency of such losses, and other such issues. However, there are fundamental flaws in these methods, which analyze the expected loss based on several assumptions and hence, may not be able to give an accurate ROSI. There are some other qualitative methods, which define expected loss in values like high, medium, and low. However, these methods may not be able to give you numbers with reference to return on security investment.
Proposed assessment approaches
Risk should be the focal point while assessing return on security investments. In order to understand the risk well, you need to get in touch with the business to get an estimate of the expected loss value. You can use existing risk assessment and management methods for this. After obtaining the risk value from the business, identify the kind of controls that may be required to address the risk. Finally, add up the cost of controls to arrive at the total cost of investment for that particular risk. Thus, here you are focusing on return on risks being covered rather than return on security products. Once you know the risk value and cost of controls, it is easy to get the difference. It may or may not seem justified at times.
The Control Objectives for Information and related Technology (COBIT) framework also provides linkage between business and IT, enabling you to calculate the return on IT investment. Similarly, the framework can also be used to compute returns on security investment. You can also have a linkage between your business, IT and security goals.
Security metrics is another significant way to identify the return on security investments. The security metrics basically enable an organization to identify its efforts towards information security and measure their effectiveness. Here, you measure the performance of a security control over a long period of time, find out its drawbacks, and the losses incurred due to it. The metrics mainly track the performance of several security controls (antivirus, firewalls, IPS) against the risks they are supposed to cover. When you track this, you progress towards measuring the return on those security investments. Security Metrics are probably a post-facto justification of the return on security investments.
About the author: Chaitanya Kunthe is the head for consultancy services at Miel e-Security Private Limited. He focuses on risk management and compliance.
(As told to Dhwani Pandya)
This was first published in October 2010