Security ROI: Possible, but Not the Main Point

Many people have argued about wondered whether information security can have a computed Return on Investment (ROI). The man who co-wrote the book on ROI, Managing Cybersecurity Resources: A Cost-Benefit Analysis says yes, it's possible, but in general, "maximizing the ROI (or IRR [real economic rate of return]) is, in general, not an appropriate economic objective." What, then?

Rather than trying to derive the ROI of security investments, a much better strategy is to work on the related issues of deriving an optimal (or at least desirable) level of information security investments and the best way to allocate such investments. This strategy is the focus of the Gordon-Loeb Model (for a brief summary of the focus of this model, and a link to the actual paper, go to: (http://www.rhsmith.umd.edu/faculty/lgordon/Gordon%20Loeb%20Model%20cybersecurity.htm

— Email from Dr. Lawrence Gordon: Security ROI possible but not optimal, use other metrics, Posted by Kenneth F. Belva, bloginfosec.com, 18 July 2007

Belva reads the recommended paper and finds it to say:

The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.

From which Belva concludes that "we do understand Information Security to have a return." Well, yes.

But it seems to me the main point is that trying to emulate a common CFO practice of justifying expenditures by ROI isn't appropriate for information security, which isn't about directly producing income or directly saving money. Information security is (or should be) a form of risk management.

Also, while the cited paper is no doubt correct that investing in protecting medium vulnerabilities may produce a higher rate of return in the near term, because more of those will be exploited, nonetheless it would be prudent to do something about unlikely yet high risk of loss vulnerabilities. And that something is probably not just applying traditional technical security measures, which won't stop fires, hurricanes, floods, or a net-wide zero-day exploit. The even more traditional measure of insurance would be appropriate, plus other methods of pooling risk, along with software and hardware diversity. These things also have a return on investment, but it's rather indirect, in terms such as ability to list on big stock exchanges (now, London, soon, New York), customer comfort, and greater agility and resilience of the technical workforce.

-jsq

PS: Seen on Emergent Chaos.

Comments

Hi John,

I agree with you that information security about risk management. In fact, the subtitle to my blog is "A Corporate InfoSec Risk Management Perspective."

The main issue in debate was whether or not it is even possible for information security to have an ROI. It was not, as inferred from your post, what is the best perspective to take on understanding how to make information security decisions.

There are many camps that say, "Absolutely not: information security cannot have an ROI!"

Based on Dr. Gordon's email, taking such an extreme position is not justified since an ROI may be calculated, despite known problems.

Sincerely,
Ken
http://www.bloginfosec.com

Posted by: Kenneth F. Belva | August 05, 2007 at 09:30 AM

Hi Ken,

Yes, I referred to the debate in my first sentence.

And I explicitly agreed with your inference from Dr. Gordon's mail.

However, I think it best to take every opportunity to remind people that thinking in terms of near-term dollars is missing the main point, which is that security isn't the same as production or sales or finance, and information security, especially with the Internet, does go well into risk management, which is about things that don't necessarily add up in neat columns on a spreadsheet.

An additional point I didn't mention is that appealing to authority to definitively end an argument is a risky tactic. That way lies "my authority is more legitimate than yours" or more likeable, or more connected, or whatever. Risk management needs to be about looking at the big picture and weighing near and long term possibilities and risksa and means to manage them.

Better, I think, is to use the argument to show people why they're arguing about the wrong thing, and need to look up.

This is related to another discussion ongoing in many venues: how should information security relate to the rest of the corporation? As Iang remarked recently, maybe the CSO should get an MBA:

http://riskman.typepad.com/perilocity/2007/07/security-execut.html

One thing the CSO might learn then is that shutting down a conversation often fails to convince potential political allies to support the result, even if it's the right result.

-jsq

Posted by: John S. Quarterman | August 05, 2007 at 09:55 AM

I cover this on my blog. The reason ROI/NPV is difficult in security tools is not because of the cost center / profit center distinction, but because of GIGO (garbage in, garbage out) in security.

People misunderstand the tool as being something that tells you something by and of itself. No such; what the tool is about is calculating a number that can be compared to other numbers calculated in the same way. It's a tool for calculating a standard metric that is more meaningful in comparison to the NPV calculated for other projects.

Posted by: Iang (on ROI in security...) | August 05, 2007 at 04:57 PM