I've noticed an increasing level of interest by both academics and practitioners in the financial aspects of security. There are probably two sources for this phenomenon. One is the difficulty that security managers encounter when justifying the business case for their spending plans, which encourages them to look outside their organization for a better method. The other is the response by academics, who become excited when they unearth new (though rather obvious) economic characteristics of security, such as the fact that the party who creates a security risk might not be the party who suffers the damage from its impact. And findings such as this will generate further interest as they offer the potential to transform a business problem into a wider societal or public policy issue. The end result is an unprecedented wave of interest in researching and debating the "economics of security".
Now I'm sure that many interesting models, methods and policy recommendations will emerge from this new found line of research. So I'm all for it, though I do suspect that there might be more interesting and fruitful alternative lines of security research. My main concern is that we don't reinvent the wheel. Because bean-counters have for many years been devising investment appraisal models to measure the ROI on difficult and dodgy investments. And business managers have long been struggling with difficult business cases, frequently based on uncertain, unmeasurable and unknowable data. So there's really nothing new here.
I keep being told by academics that security is a particularly difficult business case because of the lack of hard supporting data and the fact that it often requires long-term investment in infrastructure with uncertain returns. I don't buy this. Many routine business investments have these characteristics. Whether it's a new product launch, a new plant, a new acquisition or an investment in CRM or business intelligence software, they all represent a leap of faith, with no guaranteed returns.
At least with security we can point to a sizable body of supporting incident data. And we can play the regulatory compliance card. So perhaps it's not that hard after all to justify security. In fact that could explain why we've actually seen unprecedented growth in security investment over the last two decades.