A five step process for achieving measurable returns on security investments

What do the president of the United States and a Fortune 1000 CIO have in common? For starters, both are responsible for mitigating immense security threats, maintaining budgets and justifying expenditures to governing committees for approval. They are also accountable for the failure or success of security in their respective domains.

Both the president, when supporting a multi-billion dollar Strategic Defense Initiative and the CIO when presenting a Strategic Security Initiative, are accountable for the underlying investment strategy.

The stakes are high. There are numerous sources and statistics for you to reference when articulating the scope of security threats. For example, according to security research firm mi2g, the combined worldwide economic damage from the Bagle, Netsky and MyDoom viruses has already reached $100 billion. Trusecure/ICSA Labs placed remediation costs for Blaster at $475,000 per company, with larger companies reporting losses of up to $4,228,000. The Nachi, Fizzer, Mumu, and Bugbear attacks all took their toll, as well - in the end, Computer Economics tallied the total cost of 2003's hit parade of viruses and worms at more than $13 billion.

CFO's make decisions within the context of a financial framework. More CFO's are now requiring CIO's to work within their framework and translate security issues into a business context. During the security investment process CFO's must know what the business risks are, how they will be mitigated, what the required investment is, and what's the expected benefit to revenue retention or growth? In other words, what is the business justification?

An effective security investment strategy will bridge the chasm between the technical and financial disciplines and present an investment strategy based on a financial framework and supported by technical initiatives.

The five step process to create a security investment strategy.

As a rule of thumb, you do not protect a ten dollar horse with a thousand dollar fence. Otherwise stated, security investing should be in direct proportion to the value of the assets you are protecting, the level of threat posed to them, and the amount of mitigation effort required. You want to invest in security in direct proportion to your asset exposure.

This paper will present a five step process for creating a sound security investment strategy supported by quantified analysis including a valuation of assets exposed, a threat inventory, financial impact and likelihood of threats, and a threat mitigation strategy.

Step 1 - Business Asset Valuation

Your investment strategy starts with a valuation of the assets you're protecting. Begin the process of asset valuation by talking with your internal compliance group, business continuity group or risk management organization. They may already have an updated asset valuation for you. All three groups need to know how much to invest on corporate risk mitigation based on asset valuation.

To begin, organize a table of major revenue sources. Determine the percent of each revenue stream that is managed on information technology and therefore exposed to security risks. A company that derives 70% of a revenue source directly through the use of the underlying information technology infrastructure has an exposure factor of .7 for that revenue source. Last calculate the exposure of annual, daily, and hourly revenue for each revenue source.

Perform the same exercise for your intellectual property assets that are managed on information technology. Include trade secrets, customer data, research etc. and put an associated valuation and exposure factor on each.

Another major area of financial exposure is shareholder value. You can determine a percent of your stock valuation that is exposed as follows. Estimate an exposure factor based on the amount of impact experienced by a negative event that impacted your stock, or other similar companies, in the past. A typical exposure range is 1%-10% of stock valuation.

The deliverable for this step is a Business Asset Valuation Report that clearly defines the value of your corporate assets and their exposure to information security risks.

Step 2 - Threat Inventory Assessment

Which risks are you protecting your enterprise from? What information security threats will you focus on to build your case for investing in enterprise security?

To answer these questions we will create a set of "Information Security Events" (ISE's), determine their qualitative impact to the business and history of occurrence, then estimate the future likelihood of their occurrence. Do not be concerned with the quantitative, or cost impact of these events for the moment.

When determining the likelihood of occurrence ask yourself, how frequently has this event occurred over the last two years? What is the historical number of occurrences? Are the occurrences trending downward or upward? What is the potential of this ISE happening in the next two years?

The best place to start an ISE inventory is to look at your security incident logs or help desk reports for the last 24 months. What ISE's have occurred in your enterprise?

Once you have exhausted your historical set of security events, look to external sources such as industry trade magazines, research firms and conferences to list the top threats you are facing, but you may not have experienced yet.

The deliverable for this step is a Threat Inventory Assessment that clearly defines the threats to your corporate assets and the historical and potential rate of occurrence.

Step 3 - Threat Impact Analysis

Now let's take the set of Information Security Events (ISE's) developed in step two, and determine the impact of each ISE on asset valuation and cost impact to your operations. This analysis will quantify the percent and dollar value of your assets that are impacted by breaches of information security as well as the negative impact of each ISE on operating costs.

The first area we look at is revenue impact. To what extent is revenue impacted due to unavailability of revenue linked systems or breeches of confidential corporate data? Lost revenue in this analysis is the amount lost as a direct result of an ISE.

To calculate direct revenue loss we examine the major revenue streams identified in step one, for example online, retail, service and b2b sales.

Next we identify the underlying information systems that facilitate revenue generation. System examples include; Customer Relationship Management systems, Trading systems, Inventory Control, and Reservation systems which all directly support revenue generation. When these systems are down your company is unable to capture a significant, if not all, of the dependent revenue stream during that period.

Next let's create the metrics used to quantify the impact of the ISE's on dependent revenue streams. Metrics include annual, monthly and daily sales per stream. The most granular way to capture revenue is at the transaction level. Transaction metrics include number of transactions annually, per day and per hour, average transaction revenue, % of margin per transaction and net profit per transaction. With this data in hand you can now calculate the impact of an Information Security Event on revenue transactions.

The next part of this analysis is to determine what percent of share value can be wiped out by an ISE such as the theft of proprietary information, or the resulting public relations damage from a lawsuit and litigation.

Stock valuation impact is not a science it is an educated estimate based on assumptions. For example, if your company had a negative press release in the past, due to some error on its part, what was the impact to the stock valuation? Was it a 2% loss, a 5% loss or some other amount? What is the cost of a 2% drop in your shareholder value?

The operating cost impact for an ISE includes a variety of cost metrics. This is where the rubber meets the road and a substantial portion of your business case made. You must execute due diligence in this phase of the process in order to create credibility and the underlying "bottom up" assumptions that are the underpinnings of your case.

What percent of the business processes of the organization are run on information systems? If you are a fortune 1000 company chances are 80-90% of your processes run on information technology. When these revenue dependent applications are down how does this affect your employee productivity? Employees typically lose between 50 and 90 percent of their productivity when a corporate network or a major application is down. Productivity loss is a major cost impact of ISE's.

The metrics used to calculate productivity loss include Number of Employees, Average Loaded Salary, Number of Work Hours per Year, and Gross Cost of Business Per. Hour. Outage and frequency metrics can be from your security logs or help desk reports include Average Event Duration, and Annual Number of Events.

From this data you can calculate and quantify the negative cost impact of an ISE's on corporate productivity and operating costs.

What is the cost impact to the technology department? How does an ISE affect the operations of the IT department and what is the ripple effect throughout IT? These loss aspects are steeper than general productivity loss for two reasons. They are paid more than the average employee and the amount of time spent in remediation of the ISE extends much longer than the downtime experienced by the rest of the corporation. Downtime for IT workers can exceed 5-10 times the amount of downtime experienced by the company at large.

The metrics used to calculate IT productivity loss include Number of IT Employees involved in response and remediation of security events, Average Loaded Salary, Number of Work Hours per Year, and Gross Cost of IT per Hour.

There are more cost impacts above and beyond the ones mentioned. Each enterprise is different and the impacts by ISE can also be different so customize the impact categories accordingly.

Total your financial risk basis: the process of calculating the effects on revenue, stock valuation and operating costs, is conducted for each ISE. Once you have a set of ISE's calculated, you can average them to create an average single event lost expectancy or average (SLE) calculation.

When the SLE is multiplied out by an Annual Rate of Occurrence (ARO) an Annual Loss Expectancy (ALE) figure is calculated. The ALE represents the total amount of loss that can be expected for each ISE.

To calculate the total financial exposure of all threats, add together the independent ALE's to arrive at your grand total ALE. Last multiply your grand total ALE by the number of years in your investment amortization to arrive at your financial risk basis for the investment strategy.

Vetting your analysis. Go ahead and make educated assumptions and create a draft Threat Impact Analysis model for discussion with finance. This will become the basis for calculating financial risk and exposure. By sharing and discussing your assumptions and underlying calculations with finance and other stakeholders throughout the process, you will build consensus and facilitate buy in by sharing ownership and authoring of the results. A financial model based on assumptions can only be improved, it can not be dismissed.

The deliverable for this step is a Threat Impact Analysis Report that quantifies the cost impact of historical and potential threats to your corporation in dollar terms.

Step Four - Threat Mitigation Strategy

Now that we know what we are protecting and what is at risk, it's time to develop a Strategic Security Roadmap to mitigate that risk. The purpose of the Security Roadmap is to outline a strategy for mitigating the financial exposure and risk your organization is facing and reduce it to an acceptable level.

The Security Roadmap and its underlying goals and objectives may be fed from several sources including a Vulnerability Assessment and Policy Compliance Assessment. Based on your organizations current security posture and ability to comply with policy, you will derive your objectives for the Security Roadmap, which will contain the strategy, plans, initiatives and technology to correct these weaknesses and to achieve a more secure state.

Creating a tactical set of initiatives. In support of the Security Roadmap you'll create a tactical set of security initiatives. These initiatives will be actionable and will include specifics such as name and description of initiative, relationship to security strategy and which component it supports, investment requirements, resources requirements and initiative timeline.

From the CFO's perspective the case for technology investing becomes more compelling when tangible, risk mitigation initiatives, are directly associated to a strategy and the investment. It is even more compelling when accompanied by a financial analysis of the amount of exposure that will be reduced.

Step 5 Security Performance Measurement and Reporting

You can't manage what you don't measure. One of the key tactical initiatives in support of your Strategic Security Roadmap will be to measure and report security effectiveness on an ongoing basis. This trending of security effectiveness will provide your CFO with a tracking mechanism for investment return.

The effectiveness of any monitoring and measurement effort is based on the integrity of the underlying processes and the validity of the data that is captured. A variety of automated and manual means will be required to track this information and should be factored into your Security Roadmap at the beginning.

The deliverable for this step is a Security Performance Measurement and Reporting Strategy that clearly outlines the Key Performance Indicators for security and the tracking mechanisms and reporting processes that will be utilized.


CSO's and CIO's are working more closely than ever to strategically mitigate risk and secure the enterprise. The greatest area of impact of information security events is to revenue and it is imperative that CIO's develop both an investment and mitigation strategy, and present the case in a financial framework. By following a structured process like the one outlined in this paper, CIO's are able to tell a financial story, and become well positioned to receive funding and ultimately execute the required security initiatives.

To recap the steps, first define your asset valuation. Next identify the types of threats and their qualitative impact. Next assess each threat impact on revenue sources, shareholder valuation and operations. Prepare a Mitigation Strategy with both a strategic and tactical component to mitigate risk and achieve a return on your security investment. Last, implement security performance measuring and reporting to track and trend the effectiveness of your security investments.

Complete this process and you will be leaps and bounds ahead of the average CIO having effectively built a solid security investment and mitigation strategy and bridged the technology-finance chasm.

Edward Schenk, CISSP is Information Security Practice Director at ThruPoint, Inc.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.