Hewlett-Packard's Trusted Security Laboratory in Bristol are conducting a joint industry and academic study with financial services firm Merrill Lynch to create a mathematical model for measuring the business value of IT security.
An initial six-month "Trust Economics" feasibility study demonstrated that a mathematical model could be used to measure business risk. It concluded that well-managed security could save a business operating in-house or outsourced utility-based IT services 20% on operating costs.
David Pym, scientist at HP Research and a professor of logic and computation at Bristol University, said businesses could save money by running several applications on the same server securely.
The study - conducted in conjunction with the universities of Bath and Newcastle and University College London - used the mathematical model to evaluate the cost and benefit of implementing automated security systems compared with implementing a security policy change across a company.
Mathematical models of IT security economics have been produced in the past, but unlike HP's Trust Economics, in which Merrill Lynch participated, most have been hypothetical.
Robert Coles, head of information security and privacy at Merrill Lynch, said, "We looked at a way of evaluating the trade-offs between persuading people to undertake security controls versus using technology to implement improved security controls."
He said the modelling techniques developed in the study could help Merrill Lynch improve the cost-effectiveness of security and minimise the business impact of implementing new security controls.
Paul Dorey, director of digital security at oil company BP, welcomed the research. "The evergreen challenge of information security is deciding how much to spend on protection and where to spend it.
"An experienced security professional will always use a mix of different security approaches to tackle a problem, because point solutions are rarely effective. Research that better informs the choices to make is a good thing indeed."