Slashdot Mirror
How to Measure Security ROI?
UM_Maverick asks: "Does anybody out there have any experience measuring Return on Investment for security-related expenditures? For example, if management says that there's $1 million left in the budget, and you can either implement a new customer tracking system that is projected to save $300k per year, or implement a new security technology or process, how do you measure the return on the security spend, and convince them that it's at least worth considering? Googling for 'Measuring Security ROI' seems to just produce a list of articles that say 'Measuring security ROI is difficult.' Does anybody have some more direct experience or information?"
Why not grow it within your infrastructure?
If you buy a "1 million$" security infrastructure, you WILL miss something. Instead, build the security from the ground up, paired with each node.
If you have to "pay for it now", you're already too late.
I would start with figuring out what it would cost to fix broken systems, downtime, etc.
Then you can at least put a price on not being secure, and let management make a somewhat informed decision.
Measuring security ROI is proving a negative. Because stuff is not being broken into and information is not being stolen, the company is "saving" money by not losing money and gaining bad press.
Your benchmarks are what type of security issues you do encounter and how they are handled. For example, if a security package catches would-be intruders, that can be shown as a sort of ROI (as the package prevented X dollars of loss.) Another example is the cost of whole disk encryption. Having a laptop that is protected by WDE get lost, one could state that the encryption software (assuming its properly deployed, proper password and/or security token policies set, etc.) saved the company the loss of the data on the laptop.
Probably the best bet in proving ROI is how many, what type of, and the cost of, the breaches and incidents one had before a policy/software/infrastructure went into place versus afterwards.
In any case, if you worked for me and pulled a stunt like that I'd be starting to look for your replacement asap: I pay you to do your job, not to prevent other people from doing theirs.
-- the cake is a lie
You can't measure the probability of something getting broken into. There are a million ways to calculate it and all of them come down to making up a number in your head. Realistically, "vulnerability" (ie, probability of getting hacked) is a null value. Ignore it. Weight your data, whether it can be replaced, the cost to the business if it's compromised (unauth disclosure, corruption of the data, or denial of access). Then threat model how you could do any of those things to your most valuable data and where, your next most valuable data class, etc....mitigate from there. Also calculate reputation value. A really outstanding good ROI for security has nothing to do with numbers: It's called "I didnt end up on CNN or Slashdot today".
You are never going to get money back from security investments, you are limiting losses.
That puts you into Risk Management analays, not Return on investment.
Think of it like going without insurance, worker injury prevention, or other loss prevention/mitigation.
But you get smelly fingers. You can't calculate the probability of a breach because you can't enumerate the threats or the vulnerabilities. How many unpublished zero-days are there for the stuff in your environment? How many hours of unplanned outages will you have this year? Consequently you are just pulling a number out of your ass. I agree you can get some good numbers for the cost of a breach. Not the probability. So you are evaluating a cost times a guess.
There is no security ROI. It is loss-avoidance. It is insurance.