One major obstacle to a company’s adoption of information systems security best practices is often the apparent lack of ROI, or visible return on investment resulting from developing secure processes or acquiring security-specific hardware and software. Unlike a tangible piece of hardware or a software upgrade, employees often see security processes as interfering with their ability to get their job done.
But losses due to a lack of security due diligence are tangible and quantifiable, and a properly focused security investment can also yield productivity gains. Calculating the affect to your business of the loss of goodwill, lawsuits and fines, intellectual property loss, etc., is a fundamental step in determining the overall cost benefit of an enterprise-wide security plan.
In security management, this cost versus benefit analysis is a very important process. The need for, or value of, a particular security control must be weighed against its impact or resource allocation drain and its usefulness. Making the financial case to upper management for various security controls is a very important part of a security manager’s function.
Many complicated risk analysis procedures can be used to determine the cost vs. benefit of implementing a security process or control, but most of them boil down to these three steps:
- Determine the value of company assets that would be affected by a security loss or breach
- Analyze potential threats to the assets and the likelihood of those threats
- Estimate the potential monetary loss to the company by quantifying the loss
Several criteria come into play when determining the value of an asset. An asset can be any resource, process, product, computing infrastructure, and so forth that an organization has value and has determined must be protected. The loss of the asset could intangibly affect confidentiality, integrity, or availability, or it could have a tangible dollar value. It could also affect the ability of an organization to continue in business. The value of an asset is composed of all of the elements that are related to that asset—its creation, development, support, replacement, public credibility, considered costs, and ownership values.
In security terms, the presence of any potential event that causes an undesirable impact on the organization is called a threat. A threat differs from a vulnerability, in that a vulnerability is defined as a weakness in a system that allows the threat to be realized. Some threat sources that may to be considered when determining the effectiveness of security control include:
- Utility failure, service outage, natural disasters, or neighboring hazards
- Unauthorized or uncontrolled system access (lack of separation of duties), misuse of technology by authorized users, tampering by disgruntled employees, or falsified data input
- Physical destruction or vandalism, the theft of assets or information, organized insider theft
- Hardware or equipment failure, program errors, operating system flaws, or a communications system failure
- External threats to the computing systems, such as malicious code and key loggers
Several methods can be employed to determine the likelihood and result of these threats realized, ranging from a simple cost/benefit matrix to engaging a full scale risk assessment, including trade off analysis, risk assessment (quantitative risk analysis and qualitative risk analysis), or business impact assessment.
Including these concepts into any discussion of secure processes will help management understand how security ROI protects investment, which is what really matters most.