Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Measure Security ROI?

Posted by Cliff on from the difficult-metrics dept.

UM_Maverick asks: "Does anybody out there have any experience measuring Return on Investment for security-related expenditures? For example, if management says that there's $1 million left in the budget, and you can either implement a new customer tracking system that is projected to save $300k per year, or implement a new security technology or process, how do you measure the return on the security spend, and convince them that it's at least worth considering? Googling for 'Measuring Security ROI' seems to just produce a list of articles that say 'Measuring security ROI is difficult.' Does anybody have some more direct experience or information?"

3 of 64 comments (clear)

  1. Proving a negative by mlts · · Score: 4, Insightful

    Measuring security ROI is proving a negative. Because stuff is not being broken into and information is not being stolen, the company is "saving" money by not losing money and gaining bad press.

    Your benchmarks are what type of security issues you do encounter and how they are handled. For example, if a security package catches would-be intruders, that can be shown as a sort of ROI (as the package prevented X dollars of loss.) Another example is the cost of whole disk encryption. Having a laptop that is protected by WDE get lost, one could state that the encryption software (assuming its properly deployed, proper password and/or security token policies set, etc.) saved the company the loss of the data on the laptop.

    Probably the best bet in proving ROI is how many, what type of, and the cost of, the breaches and incidents one had before a policy/software/infrastructure went into place versus afterwards.

  2. Risk math by theonetruekeebler · · Score: 4, Informative
    Here's a gross oversimplification:

    The cost of a security breach is measured as the probability of an incident multiplied by the cost of the incident. Both numbers can be calculated surprisingly well, or at least made to sound plausible. Security software will reduce the probability of an incident. Calculate the difference. If it exceeds the cost implementing security, it's a good thing.

    This is a basic formula used for all types of data security, including backup and disaster planning.

    --
    This is not my sandwich.
  3. Re:Risk math: Not Math by jofny · · Score: 4, Insightful

    You can't measure the probability of something getting broken into. There are a million ways to calculate it and all of them come down to making up a number in your head. Realistically, "vulnerability" (ie, probability of getting hacked) is a null value. Ignore it. Weight your data, whether it can be replaced, the cost to the business if it's compromised (unauth disclosure, corruption of the data, or denial of access). Then threat model how you could do any of those things to your most valuable data and where, your next most valuable data class, etc....mitigate from there. Also calculate reputation value. A really outstanding good ROI for security has nothing to do with numbers: It's called "I didnt end up on CNN or Slashdot today".