Sunday, April 18, 2004

Calculating Security ROI Is a Waste of Time

I was pleased to read Infosec Economics by Lawrence Gordon and Robert Richardson in the 1 Apr 04 issue of Network Computing magazine. This duo says:

"ROI (or bang for the buck) can't be applied perfectly to information security because often the return on information security purchases and deployments is intangible. Sure, companies invest in some solutions that offer benefits beyond security--faster network throughput in a new router that supports VPNs, for example--and they can calculate the ROI of these indirect benefits. But security requires factoring in the expectation of loss."

I've been lucky to have never been tasked with calculating security's "return on investment," because I would have told my supervisor the answer is zero. There is no return to be made on security, because security is a loss avoidance and loss mitigation measure. Security is a way to deal with risk, which is the probability of loss. (I dealt with these definitions in Oct 04.)

"Investing" in security is not like investing in a more efficient metal-bending machine or sending an employee to a training class. Donald Trump does not receive any return on the investment he makes in bodyguards. All he does is provide a means to lessen the probability of bodily harm. He is not a more efficient businessman as a result of having bodyguards.

Obviously people value security, but it must be balanced by the threats one faces and the consequences of loss. Presidential candidates only receive Secret Service protection once they appear to be their party's nominee. Private citizens do not usually employ bodyguards. We make the decisions all the time but because digital security is an art with opaque threats, we have trouble choosing the appropriate level of security for our networks. Those who perform network security monitoring are more aware of these threats than the average CISO. NSM operators possess network awareness, thanks to the sorts of information they collect.

Economists have appreciated this fact for years. It looks like the 2004 CSI/FBI study will avoid ROI in favor of discussing net present value (NPV) and security as an externality. Stay tuned.