This week’s blog is Part 3 of 5 parts of a series.
I think that too often security people try to “fix” every security problem. That is not realistic or required. Many times, it is sufficient to just identify security risks and problems to management and get them to make a decision on how they want to deal with it.
But the operative phrase is “decision on how they want to deal with it.”
Calculating the Cost of Mitigation
Security professionals are well acquainted with determining the costs of mitigation. Senior executives sometimes think they too are familiar with these costs, based upon ads they read about anti-virus and firewall technology.
The danger here is that it is too easy for all concerned to focus on technology as the primary mitigation for security and compliance. It is well documented in standards published by industry experts such as NIST- 88 series (3), ISACA CoBIT (4), PCI Security Standards – PCI (5), and NERC – CIP 02 – 09 (6).
It is well advised to consider mitigation steps that include:
1. Re-engineering processes, both technological and people processes.
2. Policy – people and technology
3. Technical security.
4. Physical security.
5. People processes.
6. Training and awareness.
7. Third party auditing to verify the effectiveness of all the above.
From an IT Security Governance perspective the optimal cost point for mitigation is where the total costs of risk and mitigation are lowest. This point can be graphically determined as in Exhibit 3 – Optimal Cost Point for Mitigation.
Exhibit 3 – Optimal Cost Point for Mitigation (3) This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca
Once mitigation costs are determined, it is important to express to the IT Security Governance committee that mitigation only goes so far, and that some residual risk remains even after spending on mitigation. The residual risk can be expressed as the cost of risk that remains after mitigation is implemented. As shown in Exhibit 4 – Mitigation Cost vs. Chance of Event Occurrence, expenditures on mitigation reduce the cost of exposure to risk.
Exhibit 4 – Mitigation Cost vs. % Chance of Event Occurrence This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca
The IT Security Governance Committee may decide to deal with residual risk by:
1. Accepting the risk.
2. Moving the risk (insurance).
3. Further mitigation.
Calculating Return on Security Investment (ROSI) (7)
Once the total cost of security mitigation is determined by including any costs for managing residual risk, then it is straightforward to calculate the return on security investment, as follows:
ROSI = cost of mitigation / cost of risk
When calculating ROSI it is important to allocate mitigation costs on a pro-rated basis across all costs of risk to which they apply. In this way ROSI can be more accurately calculated and evaluated by each profit and loss manager and associated stakeholder.
The next blog will deal with figuring out if the cost of mitigation were worth it!
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditor
www.ere-security.ca
Tags: Cost of IT Security Compliance, Information Security, IT Security, Risk of IT Security Compliance
After reading you site, Your site is very useful for me .I bookmarked your site!
I am been engaged 10 years on the Free finance personal software If you have some questions, please get in touch with me.
I really like when people are expressing their opinion and thought. So I like the way you are writing
You have to express more your opinion to attract more readers, because just a video or plain text without any personal approach is not that valuable. But it is just form my point of view