If you are an information security or business continuity professional, then you’re probably aware of the most difficult part of your job: to convince your management that investment in information security/business continuity makes sense.
Traditionally, “making sense” for management means that the revenues that will result from the investment will be larger than the total cost of investment. (Of course, there are some other aspects the management will also consider – read Management’s view of information security).
So what’s the problem? The problem is, even if you can calculate the total cost, there are no revenues to be made; OK, instead of revenues you might have cost savings, but the general opinion is that these are impossible to calculate.
However, I think there is a way to estimate the financial benefits (i.e. cost savings) of information security. Let’s take a deeper look of what it really means.
Is it really impossible?
First of all, you need to estimate the potential damage an incident could cause – it is also called the Single Lost Expectancy or SLE. But to calculate SLE you need to take into account several factors:
- The scope of the potential incident – which departments, locations, business units and processes would be affected.
- The cost of purchasing of equipment, goods and materials that were damaged by the incident.
- Employees – the cost of employees resolving the incident.
- Legal and/or contractual penalties – if you didn’t comply with legislation or contractual obligations.
- Lost revenues – both from your existing clients and from potential clients.
The next step is to estimate the likelihood – normally, you would have to consider threats and vulnerabilities, as well as existing security measures. The best way is to assess how often you think such an incident would occur – e.g. once every three months, once every three years or once every 30 years.
When you multiply Single Lost Expectancy and likelihood, you get the Annualized Lost Expectancy (ALE) – you could also consider this number to be the annual cost of that risk. For instance, the annualized risk of earthquake will cost you US$ 30000 if SLE is US$ 3 million and the likelihood is once in 100 years.
After that you would need to assess the frequency of the potential incident after you implement security measures – in the earthquake example, the frequency will stay the same; however, if you implement more effective anti-virus software, the likelihood of a successful malicious code attack will decrease.
Finally, you need to estimate how much your security measures will cost – to be accurate, you will again need to take into account various factors:
- Purchase value – cost of hardware, software, implementation services etc.
- Residual value of the security measure – its value after it is no more in use.
- External costs of maintenance – servicing, repairs etc.
- Internal costs of maintenance – mainly employees.
When you have all these inputs together, you will know whether your Return on Security Investment is positive or not – the point is that the decrease in your risk needs to be bigger than the total cost of security measures. It is best if you calculate both on an annualized level – this would mean that your Annualized Lost Expectancy has to be greater than the annual cost of security measures.
“Delusion or idiocy?”
When we have published our ROSI Calculator based on the above mentioned logic, one of the leading information security experts (whom I really do respect) has commented our tool on his Twitter account as follows: “delusion or idiocy? take your pick: – just enter ‘probability of incident occurrence’:-( #ROSI #ROI”.
Why did he react this way? – Let’s be realistic, it is quite difficult to calculate all the costs related to the potential damage of an incident; however it is even more difficult to estimate precisely the likelihood of such an incident occurring. Especially if there are no statistics to support such an estimation.
But the question is – is it better to have nothing at all, or is it better to have at least some feeling about the financial consequences of the work you are doing? If you are a perfectionist, you will probably wait for another 10 or 20 years for a better methodology / statistics to evolve (by the way, the banking sector is now developing those under Basel II – Advanced Measurement Approach); or if you are a realist, you could use this logic to help you, keeping in mind that it is not perfect.
If you take the latter approach, you won’t be the only one in your company – just take a look what your marketing department is doing. They usually spend a lot of money on TV and radio commercials, but they cannot calculate exactly if that is profitable either, can they? What they sure are good at is presenting why this investment is needed, guessing along the way quite a lot of factors. Instead of making fun of them you should learn from them.
Something is better than nothing
So is it possible to calculate exactly what the Return on Security Investment will be? Unfortunately, the sceptics are right – it is impossible to calculate it precisely – mainly because it is difficult to estimate the likelihood of incident occurrence. But chances are you wouldn’t miss the probability that much – you wouldn’t assess the likelihood once in 100 years if it is more likely that an incident is going to happen every five years. That, together with taking into account all other relevant factors, will give you a much better picture of the risk your organization is exposed to.
And having that information in hand is much better than having nothing at all. More importantly, you will start speaking your management’s language (Profit & Loss language), which increases your chances of being heard.
Here you can learn how to make your investment in ISO 27001 profitable and learn whether to go with a quantitative or a qualitative approach in the risk assessment process.
To access the free Return on Security Investment (ROSI) Calculator, click here.