ISACA published an IS AUDITING GUIDELINE on defining and measuring ROI or ROSI (Return on Security Investment). The publication describes several usable equations, and starting points on creating a measurement program. Below are my comments on the most important points and some commentary on those provided. This publication, unfortunately, is not the be all guide nor does it truly address the reader’s need for a plan on implementing such a valuation program. Any comments beyond the referenced sources for additional starting points would be appreciated.Establishing Metrics is the first task:
These should be based on consistently occurring and measurable. The metrics can reflect the organization’s usage of technology and focus along important aspects of the infrastructure.
Capture information on the existing user experience:
Develop and distribute a survey that pointedly asks the users to grade their experience for specific measurable concerns. An example would be “How often is the mail server unavailable for more than 10 minutes? Daily, Weekly, Monthly”
These surveys provide an indicator on user perception and experiences. Data pulled from the systems through system to system testing and tracking is preferred, but ideal for moving forward tracking. Surveys allow for immediate data benchmarking and measurement.
The insurance conundrum when measuring value for security products:
Security is a risk management method for loss prevention. This, like insurance for your car, is a cost that is extolled today for an event in the future that occurs for the enterprise. The cost of insurance fluctuates (usually up and rarely down) and roughly follows the trend in risks. If for instance an owner moves from a farm to the city – their insurance costs will rise. The reason is there is more occurrences of a loss. Similar in the security world – simply because today we have implemented a security solution, an increase in incidents may still occur. The truth is that the damage would have been worse without the action, but it is still a prevention and looking in hindsight is never, as rosy as we would prefer.
Consider the ideal situation (running a bank): Install super-security application (example: security guard) and the logs (security journal shows no physical bank robbers waving guns) show no incidents. Why pay for the (guard salary) maintenance costs? Did the super-security tool prevent all the losses, or has the criminal world simply moved away from holding up your bank in person to digital attacks? The answer is you need both – remove the guard and that becomes the simpler path of attack; add more security and force a more complex attack vector.
Remember – the blackhat hackers / criminals / mob / cartels are calculating their own ROSI, and only will put forth the effort to attack along a path if there is a healthy return. Our motivations are the same, and therefore, as we know our enemy, we can put forth mechanisms of a sufficient degree to achieve a reasonable security posture that respects the value of the assets within, and allows continued success as a business.