Return on Security Investment

Is it possible to demonstrate a return on investment for our security efforts? This is an aspect of security of particular interest and something I always consider to quite a degree when thinking about policy and how best to mitigate risk.

One particular challenge is how best to deal with the need to ensure that the business meets all of its regulatory requirements and customer expectations around the protection of data whilst also considering the pressure to manage costs.

There are a number of aspects to the problem. Firstly, a lack of “emperical probabilistic risk data” for us to be able to assess the real probability of various attacks occuring, secondly the rather tenious and misleading ROI product benefits touted by security vendors. So, as one particular researcher stated we usually end up making defensive decisions based on “heuristics and experience” and yet another has stated that the use of financial tools for calculating information security ROI is “highly suspect, often misleading and inaccurate.”

We therefore end up with no real way of measuring the profilitability or otherwise of our security investments.

The problem comes to life in the real world. Recently I was involved in preparing a business proposal for a new project. The discussion about how best to present potential cost saving benefits from a security perspective was stumped when it was realised that this could not reasonably be argued, however there was no doubting that the project was a necessary one for a number of other reasons. Eventually the supporting narrative centered around “lowering the cost of compliance” as opposed to actually saving any real money.

What we really need is a business friendly way of assessing security investments. A paper entitled “A model for evaluating IT security investments” is available and can be downloaded from the ACM Digital Library at If you are interested in this subject then I thoroughly recommend it. One of the core principles is the fact that investment in security increases the ability of an organisation to survive security breach incidents. What is interesting about this model is that it takes into account the “hacker’s expected payoff” using Game Theory, where the hacker and the organisation are the opposing players. The description states that the hackers payoff (from hacking) depends on the “likelihood he or she will be caught.” I would modify this to some degree because anecdotal evidence from multiple sources is that hackers are increasingly motivated by the financial gain that can be achieved from breaching private data. The organisations payoff from security investment is dependent upon the degree of hacking that is it subjected to and whether or not confidential data is breached as a result.

I’ll write more on this subject over the coming months as well as raising the issue of how much security incidents really cost.