What makes the concept of Return on Investment (ROI) attractive to many security executives and practitioners is centered on delivering proof of value for our various programs, which is heightened by the competition for limited resources to support them. Management seeks to maximize the benefit of its investments and the security literature is replete with a variety of models purporting to demonstrate an approach with demonstrated effectiveness, most in the IT security space where the benefits can be more readily machine-measured. The ROI of well-executed background investigations, and risk assessments that uncover exploitable vulnerabilities, are obvious to experienced security executives, but challenge the clarity of a revenue-enhancing business process with a ROI of 200 percent in 12 months.
I read with interest the many articles that periodically emerge on the definitive ROI model for corporate security and I found an interesting article entitled, “Return on Security Investment (ROSI) - A Practical Quantitative Model” (Journal of Research and Practice in Information Technology, Vol. 38, No. 1, February 2006, page 46). The authors lay out a simple equation for determining return on security investment (ROSI) is as follows:
Risk Exposure % Risk Mitigated - Solution Cost / Solution Cost
Their exploration of this potential model is interesting, as it tends to underscore the problem with the various models we can find in the literature. Consider their comments:
Let’s see how this equation works by looking at the ROI profile for a virus scanner. ViriCorp has gotten viruses before. It estimates that the average cost in damages and lost productivity due to a virus infection is $25,000. Currently, ViriCorp gets four of these viruses per year. ViriCorp expects to catch at least three of the four viruses per year by implementing a $25,000 virus scanner.
The virus scanner appears to be worth the investment, but only because we’re assuming that the cost of a disaster is $25,000, that the scanner will catch 75 percent of the viruses and that the cost of the scanner is truly $25,000. In reality, none of these numbers are likely to be very accurate. What if three of the four viruses cost $5,000 in damages but one costs $85,000? The average cost is still $25,000. Which one of those four viruses is going to get past the scanner? If it’s a $5,000 one, the ROSI increases to nearly 300 percent – but if it’s the expensive one, the ROSI becomes negative!
Coming up with meaningful values for the factors in the ROSI equation is no simple task. At the time of writing, there is no “standard” model for determining the financial risk associated with security incidents. Likewise, there are also no standardized methods for determining the risk mitigating effectiveness of security solutions. Even methods for figuring out the cost of solutions can vary greatly. Some only include hardware, software and service costs, while others factor in internal costs, including indirect overhead and long-term impacts on productivity.
So, here we are eight years later with a long recession hopefully in the rear view mirror. At least from what I’ve seen across the industry from these challenging times, there wasn’t a lot of building of ROI or ROSI models to determine how security costs should be approached. But there were repeated mandates from CFOs to simply achieve double-digit reduction in expenses.
It sort of makes you wonder how we approach the quest for finding value.
George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security, may be purchased at www.SecurityExecutiveCouncil.com. The SEC draws on the knowledge of security practitioners, experts and strategic partners to help other security leaders initiate, enhance or innovate security programs and build leadership skills.