« Publish All SSNs | Main | Flying Risk »

August 03, 2007


Kenneth F. Belva

Hi John,

I agree with you that information security about risk management. In fact, the subtitle to my blog is "A Corporate InfoSec Risk Management Perspective."

The main issue in debate was whether or not it is even possible for information security to have an ROI. It was not, as inferred from your post, what is the best perspective to take on understanding how to make information security decisions.

There are many camps that say, "Absolutely not: information security cannot have an ROI!"

Based on Dr. Gordon's email, taking such an extreme position is not justified since an ROI may be calculated, despite known problems.


John S. Quarterman

Hi Ken,

Yes, I referred to the debate in my first sentence.

And I explicitly agreed with your inference from Dr. Gordon's mail.

However, I think it best to take every opportunity to remind people that thinking in terms of near-term dollars is missing the main point, which is that security isn't the same as production or sales or finance, and information security, especially with the Internet, does go well into risk management, which is about things that don't necessarily add up in neat columns on a spreadsheet.

An additional point I didn't mention is that appealing to authority to definitively end an argument is a risky tactic. That way lies "my authority is more legitimate than yours" or more likeable, or more connected, or whatever. Risk management needs to be about looking at the big picture and weighing near and long term possibilities and risksa and means to manage them.

Better, I think, is to use the argument to show people why they're arguing about the wrong thing, and need to look up.

This is related to another discussion ongoing in many venues: how should information security relate to the rest of the corporation? As Iang remarked recently, maybe the CSO should get an MBA:


One thing the CSO might learn then is that shutting down a conversation often fails to convince potential political allies to support the result, even if it's the right result.


Iang (on ROI in security...)

I cover this on my blog. The reason ROI/NPV is difficult in security tools is not because of the cost center / profit center distinction, but because of GIGO (garbage in, garbage out) in security.

People misunderstand the tool as being something that tells you something by and of itself. No such; what the tool is about is calculating a number that can be compared to other numbers calculated in the same way. It's a tool for calculating a standard metric that is more meaningful in comparison to the NPV calculated for other projects.

The comments to this entry are closed.

My Photo

Risk Reading

Blog powered by Typepad