Organizations are starting to think of information security as a business
enabler and a differentiator from their competitors. For example, if I was
interested in online banking and one of the two banks I was considering had a
security breach, which would I be most likely to choose?'
In the rush to bring a product or service to market, companies often take
shortcuts in many areas-perhaps bypassing information security issues
altogether. People set the security issues aside, planning to fix them once the
project has gone live. This happens even though it is well established that
add-on security is more costly and less effective than security implemented in
parallel with product development.
For
example, research conducted by MIT Sloane School of Management and @stake
revealed some interesting statistics: on average, organizations caught only a
quarter of their software security holes and typically had seven significant
bugs within their enterprise software. These findings verified that fixing the
same defects during the testing phase would cost seven times less than after
deployment. Further, that building security into software engineering at the
design stage would net a 21 percent ROSI (return on security investment);
waiting until the implementation stage would reduce that to 15 percent, and at
the testing stage the ROSI would fall to 12 percent. IBM reported similar
findings-the cost to fix an error found after product release was four to five
times as much as one uncovered during design, and up to 100 times more than one
identified in the design phase.
Verticals like BPOs are today striving for BS7799 certifications as a
differentiator in business.
A Simple ROSI Model
Let us now look into a simple business model for investment in information
security. This is definitely not the only methodology or the best one but it can
be used as a starting point for more in-depth analysis.
Annual loss expectancy (ALE) is the foundation of risk assessment. It is what
it sounds like: how much money you expect to lose per year due to some sort of
security incident. Note that this is different from the raw cost of an incident
(which, remember, you should always keep as a baseline). It's actually the raw
cost multiplied by the probability of an event in the next year. So the ALE of a
security breach that costs Rs 1 lakh and has a 40 percent chance of happening
is:
Incident cost x probability of incident =
ALE
Rs 1,00,000 x 0.4 = Rs 40,000
Modified ALE (mALE) is the same equation, but with the probability affected
by mitigation measures you take. Imagine the above scenario were a virus attack.
You introduce anti-virus software that cuts in half the probability of a
successful attack, to 20 percent. Or, you start an awareness program that
reduces probability by five percent. Then:
Probability x mitigation A = Modified
probability
Probability x mitigation B = Modified probability
A: 0.4 x 0.5 = 0.2
B: 0.4 x 0.95 = 0.38
You must consider each of the mitigations separately. Once you've gone
through the process for several types of mitigation, you can pick which ones you
feel are most important or provide the best return. (Of course, some mitigation
measures will have overlapping effects. We're not putting that into this
math.)
At any rate, adding mitigation measures produces modified ALEs:
Incident cost x modified probability = mALE
A: Rs 1,00,000 x 0.2 = Rs 20,000
B: Rs 1,00,000 x 0.38 = Rs 38,000
So, in each case you've reduced your ALE.
ALE — mALE = Savings
A: Rs 40,000 — Rs 20,000 = Rs 20,000
B: Rs 40,000 — Rs 38,000 = Rs 2,000
This is the step at which executives will want to interact with the model,
seeing how different measures, which they take, affect their mALE.
Now, to get a basic return, you simply subtract the cost to implement each
mitigation measure from the savings on your mALE by implementing the mitigation.
Let's say mitigation A, anti-virus software, costs Rs 12,000. And mitigation
B, an awareness program, costs Rs 800. Then:
Savings — mitigation cost = ROSI
A: Rs 20,000 — Rs 12,000 = Rs 8000
B: Rs 2,000 — Rs 800 = Rs 1200
Both mitigation measures provide a ROSI (if the final number came out
negative, then you're spending more than you're getting back). Awareness
actually has a higher return; your savings are 2.5 times what you spend, whereas
in the anti-virus case, they are 1.66 times what you spend.
Other ROSI Models
Some security managers are grappling with ways to provide economic
justification for their information-security investments via concepts such as
RoI and net present value. One information-security manager at a major
multinational company says the company's ongoing program to measure the RoI of
its intrusion-prevention systems includes checklist items such as the cost of
remediation of network problems flagged by the system.
|
Furthermore, RoI doesn't take into account the time value of money. The
time value of money is one of the old chestnuts of economic theory, in part
because it is obviously valid. If someone has Rs 100 today, he can invest it and
have more than Rs 100 in a year's time. So if you give that person Rs 100 in a
year, he will be less well off than if you hand over that Rs 100 today.
Or to put it another way, if you give a person somewhat less than Rs 100
right here and now, he will be just as happy as he would if you handed him the
full Rs 100 in a year. The 'somewhat less than one hundred' that you give
him now (rather than a year from now) is the net present value of the Rs 100 you've
promised to pay in a year. Thus, rather than the traditional accounting notion
of RoI, economists prefer to talk in terms of net present value or internal rate
of return, a time-adjusted notion of rate of return.
There's nothing hypothetical about the applicability of these metrics to
security budgeting: A growing number of managers are starting to use the
net-present-value approach as a metric to quantify the benefits of their
security expenditures. Recent research shows that about a third of CIOs surveyed
claim that concepts like net present value are becoming important factors to
information-security managers in weighing the costs and benefits of a security
investment. More important, many CFOs are starting to require such an analysis
from information-security managers as they already do from managers of other
organizational subunits.
Akshay Lamba Bharti
Tele-Ventures
Security Tips
Tips for making a compelling business case for information security:
-
Present your proposal in terms that are meaningful for
your audience-business objectives, market share, reputation, customer
satisfaction and privacy, competition. -
Show that you care as much about the business as you want
decision makers to care about security. -
Demonstrate how your proposal mitigates information
security risk for one or more high-priority computing assets (information,
hardware, software, processes, key staff knowledge). Keep in mind that what
may be an unacceptable security practice may still be an acceptable business
risk. -
Do your homework on what the organization is currently
spending on security and the cost of recent incidents. Develop both,
quantifiable and less tangible arguments-annualized loss expectancy, return
on security investment, total cost of ownership, loss of reputation/market
share, lack of service availability. Compare your organization with others
in your market segment and consult other reputable sources. -
Involve key stakeholders in this process and make your
business case using a structured approach