Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Measure Security ROI?

Posted by Cliff on from the difficult-metrics dept.

UM_Maverick asks: "Does anybody out there have any experience measuring Return on Investment for security-related expenditures? For example, if management says that there's $1 million left in the budget, and you can either implement a new customer tracking system that is projected to save $300k per year, or implement a new security technology or process, how do you measure the return on the security spend, and convince them that it's at least worth considering? Googling for 'Measuring Security ROI' seems to just produce a list of articles that say 'Measuring security ROI is difficult.' Does anybody have some more direct experience or information?"

4 of 64 comments (clear)

  1. One way of doing things by hesaigo999ca · · Score: 1, Interesting

    At night come into the office and take out the server and steal any other info ....lock it up in some office where the boss wont look. When everyone arrives for work the next day and cant work due to the fact there is a missing server, and the police are being involved talking about taking all sorts of
    equipment for forensics evidence, then pipe up and say that THIS WAS A DRILL...and let everyone go back on about their business. Once you are faced by the boss to explain your actions....just say that had this been the real thing....25 employees would have been without work and still gotten paid...
    take their salary per day * 25 * how many days you think it would have taken to get everything back rolling again with a new server and new configs, and new passwords for everyone....this will be the total you should ask towards getting a better security system in place....including
    cameras for the server room, a utility software (VMware???) made to replace images of machines
    that were stolen from backups kept elsewhere, plus a utility to update all user accounts including
    admins with new passwords and maybe even something to help secure the machines into place ( bolted down )

    Guaranteed this will work to get your point across, possibly cost you a week suspension...but worth it in the end to show how far you are willing to go for your security!

  2. Potential cost of breech by JoeCommodore · · Score: 2, Interesting

    I guess I would give the PHB a potential cost of what breaches could happen and an analysis of your situation and what measures need to be done to prevent it.

    i.e. If you are running a business that keeps SSNs, bank data or some other sensitive data you would factor in the cost of how many customers times how much it would cost if thier personal information were compromised. If you are in design/manufacturing, you could factor in R&D/loss of contract costs if designs were taken, etc. (not to mention press coverage and effects on future customers and the stock market for public companies.)

    Also get any stories of breeches to a similar IT installation to show example that there is an issue.

    It's not really an 'investment' as much as a reduction of liability, if the potential liability is less than the cost of the security it is a hard sell. But most likely it will be a fraction of the potential liability without it and even if you do get a breech after the security update it looks a whole lot better to clinets, the public and the press if you show a track record for keeping your security up to date.

    --
    "Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
  3. Better search term... by RudeDude · · Score: 2, Interesting

    "Risk analysis" is a formal approach to what you are talking about.
    To a lesser extent "Decision Science" and "Influence Diagram" are also attempts at tackling this type of problem.

    Google scholar will turn up many papers in this area and I know that my school (University of Virginia in the Systems and Information Engineering department) has some active research in "Cyber Security" and related security planning.
    http://www.sys.virginia.edu/risk/

    --
    RudeDude
    Perl/Linux/PHP hacker
  4. Re:Actuarial data by Stormcrow309 · · Score: 2, Interesting

    There is a way to get a concept of the chance of a successful intrusion. There are actuaries that do create this data. Garner may be able provide a good benchmark, as can some industry associations. Heck, insurance companies probably are collecting good data to get a predictor.

    I paid garner for a research paper to justify the purchase of one SAN solution over another. The second solution went TU a year later. I have met the guys who write the reports. They are pretty smart guys.

    --

    In God we trust, all others require data.