Hewlett-Packard's Trusted Security
Laboratory in Bristol are conducting a joint industry and academic
study with financial services firmMerrill Lynchto create a mathematical
model for measuring the business value of IT security.
An initial six-month "Trust Economics" feasibility study
demonstrated that a mathematical model could be used to measure
business risk. It concluded that well-managed security could save a
business operating in-house or outsourced utility-based IT services
20% on operating costs.
David Pym, scientist at HP Research and a professor of logic and
computation at
Bristol University, said businesses could save money by running
several applications on the same server securely.
The study - conducted in conjunction with the universities of
Bath and Newcastle and
University College London - used the mathematical model to
evaluate the cost and benefit of implementing automated security
systems compared with implementing a security policy change across
a company.
Mathematical models of IT security economics have been produced
in the past, but unlike HP's Trust Economics, in which Merrill
Lynch participated, most have been hypothetical.
Robert Coles, head of information security and privacy at
Merrill Lynch, said, "We looked at a way of evaluating the
trade-offs between persuading people to undertake security controls
versus using technology to implement improved security
controls."
He said the modelling techniques developed in the study could
help Merrill Lynch improve the cost-effectiveness of security and
minimise the business impact of implementing new security
controls.
Paul Dorey, director of digital security at oil company
BP, welcomed the research. "The evergreen challenge of
information security is deciding how much to spend on protection
and where to spend it.
"An experienced security professional will always use a mix of
different security approaches to tackle a problem, because point
solutions are rarely effective. Research that better informs the
choices to make is a good thing indeed."