Security managers are under increasing pressure from corporate management to justify investments in information security technologies.

The capital and operational expenses associated with security technologies are frequently subjected to the traditional financial models of cost-benefit and return on investment (ROI) analyses. Given rigorous internal requirements for ROI or cost-benefit, IT managers are finding it harder to fund new initiatives for intrusion detection, policy and security management. This is because installed security technologies take precedence over new investments.

In fact, it is easier for an enterprise to justify additional investment in firewalls and anti-virus software, because the economics of these technologies are already well understood, and many companies have an established track record with them. The difficulty lies in new investments where the results are far less tangible. Given uncertain cost models with unknown levels of benefit, everyone is at a loss when it comes to modeling new investments.

We quickly reach a chicken-and-egg problem in which new investments are subjected to a degree of scrutiny never before used in evaluating security technologies. Suddenly, projects that yield quantifiable cost reduction are easier to sell and approve, and new projects that provide additional levels of information security insurance are difficult to fund.

Established Technologies are Easier to Justify

Firewall and anti-virus technologies have been widely adopted within the industry, and these products are developing their own legacy. Initially introduced as a cost associated with connecting to the Internet and to other companies, firewalls have become a standard line item associated with any network connection, and today they are as common as Ethernet.

The ubiquity of firewall technologies has given them a life of their own. Today, it is easier to fund a project to inventory firewalls than it is to install an intrusion detection system. The same goes for anti-virus technologies, where management, monitoring and version control have recurring capital and operational expenses that today are just a "cost of doing business."

Established security technologies like firewalls face a significantly lower performance threshold than newer technologies, because firewalls are measured against the benchmark of how much they have cost in the past. Few companies - if any - evaluate their investment in firewalls according to the same rigorous financial models they will use for intrusion detection and security policy management.

Well-Understood Networking Economics

In the case of a virtual private network (VPN), IT managers are working with the well-understood economics of networking. Given years of experience with frame relay and private line technologies, enterprises understand network costs and have well-developed financial models for evaluating new services and technologies. In many cases, a VPN is sold as a cost-reduction measure that has a readily quantifiable return on investment in these models.

Additionally, VPN gateway software is commonly bundled with firewall devices. At the same time, anti-virus and content filtering features are also included with the firewall. The consolidation of multiple security functions onto a single device at small offices and branch locations provides additional cost reduction and speeds up a return on investment.

Hard-to-Measure Results

Information security is insurance, because we never know the value of it until we need it. That is, we never will know the value of a firewall or anti-virus software until we deal with the large-scale impacts of a computer virus. Even then, we can only use an immeasurable figure of lost productivity. For example, how costly is it for a company to lose an email system, or an Internet connection?

Even more, how much is top management willing to spend? Clearly, they are willing to spend more when they see the effects of a Code Red or Nimda, but information security risks are abstract. Security is paramount when an attack is ongoing and the corporate email system is down, but the criticality is forgotten almost immediately after the problem has been solved.

When we get back to business as usual, everyone wants quantifiable numbers for the dollar value of risk. We have a number of accepted ways to quantify loss values and expectations of risk, but we're only guessing. In an economy based upon information, the value of a loss goes beyond capital costs and lost productivity. Many companies get their inherent leverage from IT, and losses can easily go into the millions of dollars. We don't really know how costly intrusions can be, and it will be years before can accurately quantify these losses.

Nothing Looks Like a Math Problem

The problem is that nothing really looks like a math problem. I was recently reading a paper about the economics of investments in information security. The paper was talking about how the level of investment should be at the point where the marginal cost of security is equal to the marginal benefit, and in theory, this makes sense.

In practice, nobody gives us our cost structures in the form of a mathematical function, from which we can readily take a derivative. This is compounded by even more complex and poorly understood benefits. The reality of costs and benefits is that these functions are frequently discontinuous 'step' functions. Ever try to buy half of a software license?

The marginal cost and marginal benefit models fall apart at each point where we must actually spend money. When we 'step' from one level of investment to another, the marginal cost is infinite, and so is the benefit. In other words, the mathematics of cost-benefit analysis can always justify additional investment in information technology.

If the mathematics doesn't work, we have to resort to empirical data that can only be collected over time. Stepping away from an analytical model, we can get a much better idea of the true costs of security or the lack thereof. As we collect more empirical data, we will be better able to rationalize and to justify investments in IT. However, until this happens, we will be making our decisions in the blind.

The Best Investments

For now, we know that our greatest information security risks come from internal threats, not external attacks. The people we let into our offices every day can be our greatest enemies. This is why some of the best security investments are still in the form of physical security and processes and technologies for granting and revoking access privileges.

If the best investments are in simple approaches, then how do we incorporate new technologies into the decision-making process? Security policy management promises to be a high value activity, but security managers face a difficult time getting budget, especially when they have to divert it from more established and better understood technologies like firewall, VPN and anti-virus.

Dan Taylor founded Giotto Perspectives (www.giotto.nu) in 1998 to provide clear, concise research and analysis in the networking and managed IP services marketplaces.