Cost Avoidance versus Return on Investment, a SOX Security perspective
Security has been and will continue to be an overhead expense for all organizations, as are payroll and other administrative tasks that are required to keep an organization running. The question that seems to pop up every few months in the security industry is, What is the value of all the security work that takes place within an organization? Organizations want to see what the Return on Investment (ROI) is for the security budget that is currently used or expected to be used in the future. Establishing an RIO is a very difficult task. After all, if the security team is doing its job, the organization will likely not see a measurable impact from security problems.
Although several projects are under way to determine what the ROI on security is, none of them has effectively or simply defined what the ROI is for security. You can find more information on this subject by performing a simple Internet search on “Security ROI.” The best approach is not trying to determine the ROI for security, but rather to determine the benefit of cost avoidance provided by the security work accomplished, and what ROI that can provide.
Determining the benefit of cost avoidance is based on a simplified formula for Annual Loss Expectancy (ALE). Simply stated, how much loss can be expected from a single security incident each year? When you have the ALE from an possible security incident, how much can mitigation of the incident save the organization? The three factors that need to be defined to determine the ALE are as follows: the cost of the incident, the probability of occurrence, and the percentage of resultant mitigation, which can be mathematically expressed as
Incident Cost × (Probability × Mitigation) = Annual Loss Expectance
Consider the impact of worms and viruses over that last few years. To give an overly simplified example of how calculating such an impact works, we consider a virus outbreak for an organization. We assume that for your organization, a single virus infection costs one million dollars in resources to clean and restore operations. We also assume that the organization has historical evidence to show that the probability of a virus infection is 35 percent per year. If you installed up-to-date antivirus software at an annual cost of $75,000 for annual licensing, and did so prior to the virus or worm outbreak in the organization, you can expect to have mitigated about 50 percent of the chance of the security incident’s happening. The resultant calculation would then be as follows:
Incident Cost × (Probability × Mitigation) = Annual Loss Expectance
$1,000,000 × (0.35 × 0.5) = $1,000,000 × 0.175 = $175,000
Based on the ALE of $175,000 for a virus outbreak within the organization, we can determine a simple ROI for the security mitigation of installation of antivirus software. With the previously defined value of $75,000 annually for the software license, we can show the organization a security ROI of $100,000 by implementing this mitigation strategy because the cost of mitigation is less than the cost of the loss. Many other factors could be defined by each organization to tailor the cost of mitigation to fit its business model; this example was simplified to get you thinking about how security ROI could be determined for management. [IT Security Interviews Exposed, Chris Butler 2007]
Popularity: 26% [?]
