The real economics of security

The Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) have just published a guide “The Financial Management of Cyber Risk: An Implementation Framework for CFOs“. It’s the latest in a series of attempts to advise enterprises on how to justify expenditure on information security.

It contains good advice, such as the need to focus more on the human factor. It also contains misguided advice, such as suggesting that a security budget can be based on annual loss expectancy. And it contains some downright bad advice, such as recommending that enterprises outsource the management of a crisis. It reads as though it’s been assembled by researchers with limited experience of managing a contemporary security function, extensively quoting from published surveys, articles and methodologies, more than insightful case studies and tips of the trade.   

The unfortunate reality is that we can’t calculate the cost of future security incidents. We can make a stab at estimating some of the cost of past events (though the information is hard to collect). But in today’s fast-changing business, technology and security environments, no organisation has the knowledge required to assess the probability or impact of a future security incident. 

We can draw on figures from industry surveys (such as the average cost of a data breach) but many factors are not scalable or applicable to other businesses. There are differences between enterprise in the impact of a breach on lost sales, the cost of remedial action and the effectiveness of crisis management. These surveys can indicate general industry trends in the cost of security incidents, but not the likely damage to a particular business. 

Investing in security to reduce future losses is primarily a leap of faith. We can provide evidence of past costs and current trends to support a business case, but we should never treat this evidence is more than an educated guess. That, however, should not be a showstopper. Many aspects of business, such as the success of a new product or an advertising campaign cannot be reliably predicted. But it doesn’t stop firms investing in them.

Most executive board members prefer to take decisions on the basis of sensible advice from an experienced expert who can be held to account, rather than a set of statistics. Estimated loss figures can be used to support business decisions, but they should not be used to determine them. A return on investment is possible with many security investments, but it cannot be reliably measured nor guaranteed. Regulatory compliance, however, is a perfectly acceptable investment appraisal criterion, and there’s enough of that around to ensure appropriate investment. 

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

In David Scott’s words, everyone needs to be a mini-Security Officer in the modern organization today. I think Mr. Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium). For some free insight, check out his blog, “The Business-Technology Weave” – you can Google to it, or search on the site IT Knowledge Exchange which hosts it. Great stuff.