New metric could help IT build business case for security investment

Security and data protection are consistently under-funded and under-staffed, according to studies by the Ponemon Institute.

Security and data protection are consistently under-funded and under-staffed, according to studies by the Ponemon Institute.

This is because any potential investment has to be justified and pass budget approval hurdles, which typically require IT managers to show a return on investment (ROI).

But ROI is difficult to use in relation to information security because it does not address intrinsic benefits of investments that go beyond cost savings and revenue.

Instead, Ponemon suggests businesses adopt a new metric that takes into account the real benefit of technologies, controls and governance practices aimed at preventing or mitigating cyber attacks, human error and system weaknesses.

The institute has developed a formula to calculate this alternative metric to ROI, dubbed return on prevention (ROP).

"We believe our ROP model can help make it easier for IT and IT security practitioners to make the business case for acquiring enabling security technologies and related control activities," said Larry Ponemon, chairman and founder of the Ponemon Institute.

The ROP also includes the cost associated with deploying the security technology or control practice throughout the enterprise.

This means "plug-and-play" technologies and practices will achieve a higher ROP than those that require more resources to roll out.

Anti-virus and anti-malware scored the highest ROP out of 25 security technologies, according to a Ponemon poll of more than 400 IT security managers in the UK.

This was followed by endpoint security systems, web application firewalls and policy enforcement tools, according to the survey report.

Code review tools, access governance systems and log management systems scored the lowest, mainly due to the relatively high cost.

A low ROP does not mean that a technology or control practice is ineffective, but that it is expensive relative to other comparable technologies and practices, the report said.

The highest scoring control activities were training of users, training and certification of security staff, and having security policies and procedures in place.

The highest-scoring governance features were the appointment of a chief information security officer (CISO), segregation of duties for IT and security operations, and using metrics to define security objectives.

Read more on Privacy and data protection