• Contingency Planning: A business unit owning a critical business process must be able to reliably estimate the financial impact of downtime; that is the key element of business continuity planning managed by business process owners. A highest criticality process requiring 0 downtime will have data on the expected impact of extended downtime on customer access,production, supply chain and other key measures. Managers need to have good data on the cost of loss of various processes on an hourly, daily or more extended basis. In this example, for a $1.2M expenditure, we know the positive results of our response to business interruption incidents in time and restoration to full functionality. We can flip that result and develop impact estimates of $3.6M if our business continuity measures failed to deliver.
• Information Security: Similarly, the uptime availability of various levels of information criticality is measured and tracked by the IT organization and often by the impacted business unit as well. Business units can estimate the impact of information compromise or loss of use internally or to customers. An example is found in compromise of customer lists, where the business has to provide fraud detection on each customer’s desktop at $X per month for Y years.
• Protective Operations: We can postulate on the impact of penetration of a protected area containing various assets, as well as the potential legal consequences of such scenarios. For example, your legal department can obtain data to gauge the civil judgment history for negligent security or the failure of a protection system resulting in the loss of a highly valued asset. Here, we show a negative return of $5.7M to an expenditure of $3.4M, which requires some serious assessment of staffing or technology if this is a trend that has persisted over an extended period.
• Investigations: As noted, our incident history or post-mortems record the value of our losses after investigation costs,insurance and replacement minus the recoveries we are able to specifically assign to those incidents in a given year.
This chart can make a real impression on management’s understanding of security’s value if you develop and present it with careful thought and solid data. Incident post-mortems and a collaborative working relationship with business unit risk management will provide the support for your estimates of impact.
George Campbell is emeritus faculty of the Security Executive Council and former CSO of Fidelity Investments. His book, “Measures and Metrics in Corporate Security” may be purchased through the Security Executive Council Web site, www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved. The Security Executive Council is a member organization for senior security and risk executives from corporations and government agencies responsible for corporate and/or IT security programs. In partnership with its research arm, the Security Leadership Research Institute, the Council is dedicated to developing effective tools members can apply in their programs, program documentation and establishing security as a recognized value center.