This is the third article in this series on the Methodology of Calculating ROI for IT security
There are three components to the ROI calculation:
1. Identifying actual security risks and translating them into quantifiable business risks.
2. Identifying how to mitigate the security risks, and determining the associated cost.
3. Calculating the ROI as the per cent of cost of mitigation divided by the cost of the risk. This segment describes how to calculate ROI as the per cent of cost of mitigation divided by the cost of risk.
Calculating the ROI
The totals of the cost of risk and the mitigation costs are used in the following formula:
ROI = mitigation costs divided by the cost of potential risk divided by 100
Or
ROI = % (mitigation costs) / (the cost of potential risk)
Sample ROI business case
A company is implementing a new web based transaction system for their clients to place orders and to enquire about their account balance. The incremental projected profit from the web site is estimated at $5,000 per day.
To minimize the complexity of the networking infrastructure required for the web site to communicate with a back-end database, the web site will be placed inside a DMZ within the corporate network. However, the database server will reside on the corporate network.
The CISO wants to understand the total business impact of a security breach on the new web site actually translating into a security event. She requests the governance committee identify what the potential costs would arise per occurrence of such an event, relating to four (4) specific subjects:
- Lost profit.
- Inability of other servers on the corporate network to continue operations.
- Damage to corporate and brand reputation.
- Legal consequences.
The governance committee provides the following averaged costs per occurrence of a security event, assuming a two day outage, for the four subjects:
- Lost profit: $10,000
- Inability of other servers on the corporate network to continue operations: $100,000
- Damage to corporate and brand reputation: $800,000
- Legal consequences: $200,000
- Total potential costs. $1,110,000
The CISO then determines that the cost to protect the increase in scope and risk of the infrastructure, over a three years period is $50,000 per year.
The CISO then calculates, per occurrence:
ROI = $50,000 / ($1,110,000 x 100%)
= 5%
Creating an Ongoing ROI Cost Justification Process
Fundamental to ensuring an ongoing adequate security budget is keeping the executive committee fully engaged in the security process. It is incumbent upon the CIO and CISO to educate their executive peers on the principle that security is an ongoing process, and not a onetime event.
As such, as the CISO successfully implements security infrastructure, it is critical they report on the results in terms of the initial business case used to cost justify the process. This can be successfully accomplished by proving with a business case that the investment in security had the planned payback.
An evidentiary approach to providing factual proof to the governance committee is to accumulate statistical proof of potential breaches that were avoided. These statistics should be collected from the logs of the security technology, which identify risks that were caught, vulnerabilities that were mitigated, and potential security events that were therefore avoided.
It is recommended to communicate this material in simple graph format, showing:
- The number of incidents ranked by severity plotted against a timeline.
- The resulting potential losses associated with possible incidents, plotted against time.
My final article in this series will cover outsourcing security monitoring as a cost savings option and a call to action for the entire series.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor
Tags: IT Security, Return on Investment, ROI, Security Risks
