Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Measure Security ROI?

Posted by Cliff on from the difficult-metrics dept.

UM_Maverick asks: "Does anybody out there have any experience measuring Return on Investment for security-related expenditures? For example, if management says that there's $1 million left in the budget, and you can either implement a new customer tracking system that is projected to save $300k per year, or implement a new security technology or process, how do you measure the return on the security spend, and convince them that it's at least worth considering? Googling for 'Measuring Security ROI' seems to just produce a list of articles that say 'Measuring security ROI is difficult.' Does anybody have some more direct experience or information?"

2 of 64 comments (clear)

  1. Risk math by theonetruekeebler · · Score: 4, Informative
    Here's a gross oversimplification:

    The cost of a security breach is measured as the probability of an incident multiplied by the cost of the incident. Both numbers can be calculated surprisingly well, or at least made to sound plausible. Security software will reduce the probability of an incident. Calculate the difference. If it exceeds the cost implementing security, it's a good thing.

    This is a basic formula used for all types of data security, including backup and disaster planning.

    --
    This is not my sandwich.
  2. Security is a Vague Term by 99BottlesOfBeerInMyF · · Score: 3, Informative

    Spending money on "security" can mean a whole lot of different things. What type of security? What are you trying to prevent? I work at a company that produces certain security products, some of which have other applications as well. When you hand the CEO a nice graph of the DDoS attack that you got your ISP to filter for you when you subscribed to their service, show how many hours of downtime it prevented, and how much money went through the online store during that time, proving ROI is fairly easy. Other kinds of security are fuzzier. Stopping worms within your network saved IT X hours of rebuilding PCs and prevented those machines from being down this many hours times the average worker's hourly rate would have been unable to work during that time etc. and you can provide some estimates.

    Before you get to that stage, however, you need to have specific security measures in mind designed to address specific security threats to your business. Some of these measures are easy to justify (need certification to do business with government agency Foo) and some are hard (better passwords make it harder for insiders to steal our customer database and sell it to Russian hackers who then use it causing a publicity problem and resulting lost customers).