Business today is more globalized, competitive and innovative than ever before. The trends in business internationally and domestically place increasing importance on tighter security. The amount of information security each company should have can be hard to measure, but what is even more difficult to measure is the success of existing security systems or protocols. With most business investments, financial analysts can calculate the projected Rate of Return or Return on Investment (ROI). This is useful for management to evaluate performance and budget for a project or product launch. For security measures, proving value or evaluating performance can be more complicated.
Security measures don’t bring financial rewards like other business ventures or investments; instead of making money, they mitigate risk, protect intellectual property, and save money in the case of a data breach. Calculating just how much money has been saved by a security system is hard to tell. Therefore, the metrics used in ROI are not practical to use for investments related to security. It is more appropriate to use Return on Security Investment (ROSI) instead. In order to calculate ROSI, you need to have strong data analysis and collection tactics as explained in a five part series in previous posts.
ROSI can be used to:
- Justify security budgets
- Discover benefits to existing or potential security measurements
- Estimate security programs’ worth or value to the company
- Estimate potential risk and exposure
The main differences between ROSI and ROI:
- ROSI takes risk exposure, risk mitigated and cost into the equation, while ROI only uses cost and profit.
- ROSI is difficult to calculate and requires of a lot of data analytics for security.
- ROSI calculates loss prevention instead of profit
- ROSI is an estimate and ROI is a measurement
Methods of Calculating ROSI
The figure below is an example of a decision tree where the organization is calculating the possible returns of a new product launch. The possible outcomes are a 30% chance of being good, a 40% chance of being fair and a 30% chance of being poor. Based on this model, the overall projected value of the project would be a positive $1.1 million. While this example is for a prospective product launch, the same method can be used for security investments. The different scenarios could be the chance of having a data breach or a natural disaster, and the cost would be the amount invested in the security program.
Another method of estimating ROSI is the Gordon-Loeb Model, which deals mainly with protecting information. It was created and published by two University of Maryland professors in an attempt to decide how much money should be spent on protecting information. Their model takes “the loss conditioned on a breach occurring, the probability of a threat occurring, and the vulnerability, defined in the model as the probability that a threat once realized (i.e., an attack) would be successful.”
The overall goal of having security measures in place is not only to decrease the number of security incidents, but also to decrease the cost of having an incident. Having a method to estimate ROSI can be very useful when trying to convince management to continue or increase security funding. While security processes do not add to revenue, they absolutely affect the bottom line.