Return on Information Security Investment

HOW MUCH IS ENOUGH? HOW MUCH IS TOO MUCH!

http://www.geocities.com/amz/ gives the answer

My new website will help the information security practitioner assess the costs required to implement information security in an organisation and the returns that are obtained from such an investment. The research will be used in an MBA dissertation that is currently in progress.

If you are interested in this subject area write back to mailto:amz@yahoo.com?subject=ROISI. I have compiled an extensive compendium of links related to security , return on information security investment and other related topics.

To help in the research, kindly fill in the questionnaire, it will only take 2 minutes of your time. You will also receive a FREE pdf chart with an analysis of your current information security expenditure program. You may want to review the organisational model before completing the questionnaire.

Introduction and Rationale

As more and more organisations seek electronic ways of doing business, in particular by connecting to the Internet, they are recognising the need to do so in a secure way. According to (Scalet 2002) information security is an increasingly high-profile problem, as hackers take advantage of the fact that organizations are opening parts of their systems to employees, customers and other businesses via the Internet.

More recently, (Cachia & Micallef 2004) in their ongoing research, conclude that security was the attribute perceived to be most important by online shoppers when conducting e-commerce transactions.In surveys such as that of (Briney 2001) and (Briney & Prince 2002), it is evident that stringent IT budgets will only allow the applicability of a minimum subset of Information Security products and systems and thus it is necessary to prioritise in accordance with business objectives.

To date, little is known as to what the minimal subset should be and frequently information security practitioners use a best practice approach, (Liss 2001), to determine the information security budgets. The work is more often technically oriented with little heed paid to the economic aspects (Gordon & Loeb 2002).Although management is usually paranoid on risk management, it often takes Information Security as “for granted”, (BSI 2004), and is reluctant to invest in it, (Foster & Pacl 2002), barring the exceptional cases when the information system of the organisation is compromised.

Money spent in procedures may be less than that spent in security products themselves and this might result in cost savings, (Witty & Malik 2001), and other benefits, such as being a business enabler, (Liikanen 2004), to the company whilst maintaining the security level that the company enjoys.Calculating the return on security investment (ROSI) may not be necessarily done in monetary terms as in (Berinato 2002), but can be analysed using techniques such as the balanced scorecard (Hunt & Symons 2003). The business will be then in a position to understand whether it is under-spending or over-spending in the area of information security, depending on the results obtained.

References

Bahadur, G. 2003, Developing Security Risk Metrics, Available: [http://www.foundstone.com/resources/downloads/webcast-121903/Developing_Security_Risk_Metrics.pdf] (18 April 2004).

Berinato, S. 2002, Finally, a Real Return on Security Spending, Available: [http://www.cio.com/archive/021502/security.html] (16 April, 2004).

Briney, A. 2001, '2001 Industry Survey', Information Security, pp. 34-47.

Briney, A. & Prince, F. 2002, '2002 ISM Survey', Information Security, pp. 36-54.
BSI 2004, BSI - short informations to current topics of IT Security, Available: [http://www.bsi.bund.de/english/fb/F30image_en.pdf] (17 April 2004).

Cachia, E. & Micallef, M. 2004, Towards Effectively Appraising Online Stores, Available: [http://www.cs.um.edu.mt/~csaw/Proceedings/00.pdf] (25 September 2004).

Foster, S. & Pacl, B. 2002, Analysis of Return on Investment for Information Security.
Gordon, L. A. & Loeb, M. P. 2002, 'The Economics of Information Security Investment', ACM Transactions on Information and System Security, vol. 5, no. 4, pp. 438-457.

Hunt, S. & Symons, C. 2003, Aligning Security with the Business: The Balanced Scorecard, Available: [http://www.csoonline.com/analyst/report816.html].

Karofsky, E. 2001, 'Return on Security Investment: Calculating the Security Investment Equation', Secure Business Quarterly, vol. 1, no. 2.

Liikanen, E. 2004, 'European Network Security', in CEBIT, 2004 edn, Hannover.

Liss, S. 2001, 'Practical Aspects of Information Security', InfoGroup NorthWest.

Scalet, S. D. 2002, Glossary, Security and Privacy Research Center, Available: [http://www.cio.com/research/security/edit/glossary.html] (18 April 2004).

Soo Hoo, K. J. 2000, 'How Much Is Enough? A Risk-Management Approach to Computer Security', Consortium for Research on Information Security and Policy (CRISP).

Witty, R. & Malik, W. 2001, 'Security TCO Model Helps with more than cost savings', Gartner FirstTake, no. FT-13-9070.