Return On Security Investment (ROSI)
The Return On Security Investment
Making the case for a company to include various computer security measures can be a difficult task. There are many reasons for this; primary among them are the difficulty to gauge any financial losses caused by security breaches and the ephemeral nature of many benefits of security systems on a company’s computer network. IT staff who seek to have different types of security protocols put into use within a company, then, often face an uphill battle in demonstrating their necessity. In these sorts of cases, using a Return On Security Investment calculation can be the most effective way of measuring and determining existing security measures, and the potential need for additional ones.
Put simply, a Return On Security Investment calculation is a traditional ROI (Return On Investment) equation that applies specifically to security investments. Thus, ROSI stands for Return On Security Investment. A Return On Security Investment equation can be used to quantify the feasibility — and the advisability — of instituting a particular kind of security measure.
The Return On Security Investment equation is as follows:
Return On Security Investment = (Risk Exposure * %Risk Mitigated) — Solution Cost / Solution Cost. This equation is, like any other, deceptively simple. The reality, though, is that determining the parts that make it up can be extremely difficult at best.
For example, let’s take a look at the “Risk Exposure” portion of the Return On Security Investment equation. In basic terms, this refers to the security breaches and risks that a company’s computer system might be exposed to. It can include things such as intentional attacks by hackers and the inadvertent download of various computer viruses, adware, spyware and other common online pests. Unlike many risks considered by a traditional ROI equation, the risk exposure used in a Return On Security Investment equation is not a static entity. Rather, the risks that a company’s computer system faces can fluctuate weekly, daily — and even hourly.
At the same time, measuring the percentage of risk mitigated by a security measure is also difficult. As this article will outline, none of the components of a Return On Security Investment equation are easy to determine; even measuring the cost of a security solution can fall into many gray areas. However, when careful consideration is used, a Return On Security Investment equation is still the best way for an organization to determine their security needs and costs.
Calculating Or Measuring Exposure To Risk
The first thing to determine when working out a Return On Security Investment equation is the risk exposure of the company in question. What sorts of computer security risks is it routinely exposed to? Figuring that out — and translating it into financial terms — can be cumbersome. One way of looking at this issue is to, for example, come up with a number for the financial losses incurred by a company whenever its computer network suffers from a virus or a hacker infiltration.
Assuming that the major types of these events have been duly recorded over a decent period of time, one could attempt to figure out an average yearly cost to the company. For example, the IT professionals within the business could look through records over a period of a year. As they peruse these records, they could note the major occurrences of viruses and determine a rough estimate for how frequently they tend to occur.
With this done, it is then necessary to figure out how much money these events cost the company on average. And that is part of the problem; one of these events might have cost the business approximately $100,000; the next closest virus might have cost closer to $45,000, and so on. With these numbers, an average cost can naturally be determined, but the trouble lies in the fact that there is no real way to predict when the next attack will occur — or how much it will ultimately cost a company.
We can turn to another common equation to quantify this risk exposure element in simple terms. Figuring out the Annual Loss Exposure (ALE) of a specific security threat can be done by multiplying the Single Loss Exposure (SLE) inflicted on a business by the Annual Rate of Occurrence (ARO). Again, this equation drastically oversimplifies all of the components and factors that can come into play with the rather intangible aspects of computer security.
Calculating Or Measuring The Risk Mitigated By A Security Measure
Once a risk exposure figure has been agreed upon, we must move on to determining the percentage of that risk that is eliminated — or mitigated — by implementing a particular security measure. In other words, imagine that a particular virus costs a company approximately $20,000 each time it strikes (Single Loss Exposure); assume that it occurs about five times per year (Annual Rate of Occurrence). Its Annual Loss Exposure number would, therefore, be $100,000.
A company can then attempt to determine how many of those occurrences will be prevented or thwarted by the security measure they are interested in implementing. This can often be gauged by researching previously published results from other organizations against similar security threats. However, since the security measure might also prevent risks or attacks that previously went undetected, it can be difficult to pinpoint its precise effectiveness.
For the sake of simplicity, though, let us assume that the security measure in question is thought to prevent about 80% of all attacks — or four out of five. Therefore, if it works as it is supposed to, $80,000 in losses will be prevented or mitigated — 80%. This model naturally only works if the security threat in question can be easily quantified, which they seldom are.
In addition to the prevention of known threats, a security measure might also increase productivity — and save money — in other ways. Preexisting problems can sometimes be eliminated by the implementation of a security measure. Where possible, IT personnel should attempt to gauge this effect by surveying employees as to the speed of their computer experience before and after implementation. This can improve the accuracy of the percentage of risk mitigated in order to achieve more accurate results going forward.
Calculating Or Measuring The Cost Of A Return On Security Investment Solution
The final component of the Return On Security Investment (ROSI) equation is the cost of implementing a solution to the security threat. It can be tempting to calculate this amount by simply looking at the sticker price of the solution as seen upon purchasing it. However, a lot more naturally goes in to determining the actual cost of a solution in terms of a Return On Security Investment equation.
In some cases, implementing a security solution can actually decrease the productivity of an organization’s employees. This sometimes happens because the adherence to new security measures forces employees to jump through many more hoops than they had to in the past; in other words, increased security often translates into a loss of ease and convenience. IT personnel can attempt to gauge this effect by determining the average time that it takes for various employees to accomplish routine tasks, before the implementation. After the measure has been in place for a spell, IT personnel can recalculate the time frame for these same employees and their tasks to see whether productivity has been impacted.
On the flip side, though, a security measure might actually increase the productivity of an organization’s staff. Obviously, if repeated crashes and long down time are dramatically reduced due to the implementation of a security measure, then most employees are likely to experience greater productivity. Whether a measure increases or decreases productivity, though, must be determined and taken into consideration along with its actual “sticker price”.
Let us assume that the cost of the security measure to be used as a solution for the risks discussed previously is determined to be $20,000. Turning to our Return On Security Investment equation, we now have all of the numbers necessary to calculate whether the security measure is a cost effective solution for our business. We take the risk exposure of $100,000 and multiply it by the percentage of risk mitigated of 80% to come to $80,000. We subtract the solution cost of $20,000 from this number to arrive at a total of $60,000. Using the equation, we divide the $60,000 by the cost of the solution.
Upon successfully completing the Return On Security Investment equation, we can see that the solution appears to be worth the investment; the return on the investment in this case is 300%. Obviously, this is a very overly simplified example that we use here in order to more clearly demonstrate how a ROSI equation is meant to work. As discussed throughout this article, there are many extenuating circumstances that go into play in determining the components used to perform a Return On Security Investment equation.
Understanding the fundamentals of the Return On Security Investment equation and using them to gauge whether or not a solution is worth it financially is the good way to protect the profitability of an organization. IT personnel who become comfortable with this concept and in explaining it to the management of a company can experience greater success in getting their point across. Over time, a Return On Security Investment equation can become a finely honed way of deftly assessing whether or not to implement a particular security measure.