Evaluating the return on security investment: Where’s the problem?

I’ve read so many articles that have tried to advise the industry on ways to analyze an organization’s return on security investment (ROSI).

The majority champion the difficulties associated with it and sadly conclude that in fact there is no effective way.

Many believe that demonstrating a ROSI in the enterprise is nigh impossible because there are no metrics that measure the ROSI unless a company is attacked or security is outsourced to a managed security provider. I've always been astounded by this attitude, as to me it appears that the most obvious point has been completely missed: organizations must begin with information risk assessments in order to evaluate the true effectiveness of their ROSI.

Many of us read with interest the publication of the Information Security Breaches Survey 2002 (ISBS 2002) from the U.K. Department of Trade and Industry and learnt that last year 44 percent of U.K. organizations suffered at least one severe security incident that cost on average £30,000. Although the DTI recognized that the appropriate level of information security expenditure clearly depended on an organization's business circumstances, they went on to make the broad recommendation that information security officers (ISOs) allocate between 3-5 percent (rising to 10 percent for high-risk sectors) of their IT budgets to information security. Furthermore ISOs should thoroughly evaluate the ROI of IT security expenditure, as only 30 percent of U.K. businesses were doing so, and of this only 16 percent incorporated this into their normal business processes.

Planning to find the risks

Today information risk is generally viewed in terms of threat, vulnerability and cost. If organizations are performing information risk assessments they are already aware of their risk profile; their threats, ease of exploitation, impact and exposure levels; and have assigned them values and attributed overall costs. Organizations understand that there are levels of 'acceptable' risk associated with trading and are therefore conscious of what risks their organizations are willing to bear. Strategic planning allows them to review the countermeasures and consider the costs, ideally ensuring that these fall either around or beneath the original cost of the risk itself. By monitoring the effectiveness of the solutions deployed they have ensured that the ROI in IT security expenditure at best has been met; at worse is evolving.

While few would argue against the general thrust of the DTI's figures and advice; in today's tough economic climate ISOs need more than ever to be able to justify to their financial directors that the budgets proposed are essential; that business profits will suffer in their absence. Therefore, with severe information security incidents arising daily and the added pressures of developing cost-effective countermeasures, it is rather alarming that more ISOs are not conducting information risk assessments.

Furthermore, when it is widely accepted that organizations only ever purchase information security to mitigate their risks, and with the degree of information security required differing for each organization (as naturally each will encounter different risks), one would have thought it absolutely essential to ascertain what those risks were from the beginning. For if organizations don't know the cost of the information risk itself, how do they know what to spend and if spending whether they are spending too much or too little?

What's the problem with infosec risk analysis?

So why is it taking so long for organizations to buy into the benefits of performing risk assessments in IT security when risk assessments are being executed as a matter of course in every other part of the organization's business? Surely there are more than 16 percent of U.K. organizations managing their businesses astutely, which not only regard information as being key to their business and IT as a business enabler, but also analyze their bottom lines?

Perhaps one reason could be on account of the complexity of the risk assessment itself. Even if ISO's removed the resource issues (time and or staff) surrounding an assessment, they are still faced with the multiple variants of information risk definitions and the complexity of the calculation itself. Also, as information security is being viewed in a short-term manner and treated as an overhead, not as an investment, some ISO's are not adequately versed in information security best practices and have been neither granted the training they need to get up to speed nor allowed the use of external security expertise.

Another reason could be on account of the over enthusiastic IT security vendors, be they reseller or manufacturer. We all acknowledge that the most experienced information security resellers sell on solution, choosing lengthy sales cycle and high-value profits in favor of shorter sales cycles and greater volume low-value deals. Being used to selling on benefits (as opposed to features) they have molded their solution selling techniques to correspond not only to the organization's security needs but to their business needs too. Showing and quantifying where the ROSI lies in the solutions they are presenting has become absolutely fundamental.

Unfortunately though, without the in-depth knowledge of an organization's information security structure or access to their information risk assessment, for some resellers this has been a difficult obstacle to overcome. The result has lead to the writing and subsequent publication of many articles that have perpetuated the myth of the difficulties in either calculating the ROSI or assessing the effectiveness of IT security expenditure, not as one would have hoped: a closer collaboration between the two parties to ensure that information risk assessments were adopted as the first step to mitigate information risk.

Using holistic solutions

I read recently about an IT manufacturer that had developed a security ROI selling toolkit to help internal IT and security vendors quantify their security purchases. Although the toolkit did not make specific product recommendations, it did offer a variety of components that IT buyers could use to quantify ROSI. These included: a white paper that helped teach the buying criteria of security and how security purchases could be justified; a Windows-based sales tool that helped security vendors build their business cases and included metrics for implementation, risk mitigation, ROI, TCO (total cost of ownership) and more; an e-learning course that taught vendors and IT professionals how to demonstrate the value of IT security from a financial value perspective; and an ROI calculator that laid out the economic benefits of a particular purchase. Although the tool did sound interesting it is questionable whether the value of the product and ones like it are misplaced.

Unfortunately when solutions like these are presented from this direction they are still perpetuating a totally irresponsible attitude to information security and information risk management. ISO's need to be better educated in ROSI but this will only come about when information security is tackled holistically by the IT vendor, and methodologically applied from the ground up, not from the outside-in.

So the problem in evaluating the ROI in IT security expenditure need not be difficult provided organizations perform information risk assessments from the outset. By doing this their risks have been established and they know what solutions they need to counter the effects; they have evaluated the cost of the risk so they can ascertain what to spend on IT security. Organizations need only assess whether the solutions they have purchased have achieved the objective and mitigated the risk to confirm whether the return on IT security expenditure has indeed been met.

Jane Frankland is managing director with Corsaire, a network security solutions specialist (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.