The real economics of security

The Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) have just published a guide “The Financial Management of Cyber Risk: An Implementation Framework for CFOs“. It’s the latest in a series of attempts to advise enterprises on how to justify expenditure on information security.

It contains good advice, such as the need to focus more on the human factor. It also contains misguided advice, such as suggesting that a security budget can be based on annual loss expectancy. And it contains some downright bad advice, such as recommending that enterprises outsource the management of a crisis. It reads as though it’s been assembled by researchers with limited experience of managing a contemporary security function, extensively quoting from published surveys, articles and methodologies, more than insightful case studies and tips of the trade.   

The unfortunate reality is that we can’t calculate the cost of future security incidents. We can make a stab at estimating some of the cost of past events (though the information is hard to collect). But in today’s fast-changing business, technology and security environments, no organisation has the knowledge required to assess the probability or impact of a future security incident. 

We can draw on figures from industry surveys (such as the average cost of a data breach) but many factors are not scalable or applicable to other businesses. There are differences between enterprise in the impact of a breach on lost sales, the cost of remedial action and the effectiveness of crisis management. These surveys can indicate general industry trends in the cost of security incidents, but not the likely damage to a particular business. 

Investing in security to reduce future losses is primarily a leap of faith. We can provide evidence of past costs and current trends to support a business case, but we should never treat this evidence is more than an educated guess. That, however, should not be a showstopper. Many aspects of business, such as the success of a new product or an advertising campaign cannot be reliably predicted. But it doesn’t stop firms investing in them.

Most executive board members prefer to take decisions on the basis of sensible advice from an experienced expert who can be held to account, rather than a set of statistics. Estimated loss figures can be used to support business decisions, but they should not be used to determine them. A return on investment is possible with many security investments, but it cannot be reliably measured nor guaranteed. Regulatory compliance, however, is a perfectly acceptable investment appraisal criterion, and there’s enough of that around to ensure appropriate investment.