Hewlett-Packard to evaluate value of IT security with mathematical model


Hewlett-Packard to evaluate value of IT security with mathematical model

Cliff Saran

Hewlett-Packard's Trusted Security Laboratory in Bristol are conducting a joint industry and academic study with financial services firm Merrill Lynch to create a mathematical model for measuring the business value of IT security.

An initial six-month "Trust Economics" feasibility study demonstrated that a mathematical model could be used to measure business risk. It concluded that well-managed security could save a business operating in-house or outsourced utility-based IT services 20% on operating costs.

David Pym, scientist at HP Research and a professor of logic and computation at Bristol University, said businesses could save money by running several applications on the same server securely.

The study - conducted in conjunction with the universities of Bath and Newcastle and University College London - used the mathematical model to evaluate the cost and benefit of implementing automated security systems compared with implementing a security policy change across a company.

Mathematical models of IT security economics have been produced in the past, but unlike HP's Trust Economics, in which Merrill Lynch participated, most have been hypothetical.

Robert Coles, head of information security and privacy at Merrill Lynch, said, "We looked at a way of evaluating the trade-offs between persuading people to undertake security controls versus using technology to implement improved security controls."

He said the modelling techniques developed in the study could help Merrill Lynch improve the cost-­effectiveness of security and minimise the business impact of implementing new security controls.

Paul Dorey, director of digital security at oil company BP, welcomed the research. "The evergreen challenge of information security is deciding how much to spend on protection and where to spend it.

"An experienced security professional will always use a mix of different security approaches to tackle a problem, because point solutions are rarely effective. Research that better informs the choices to make is a good thing indeed."

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy