Sunday, July 15, 2007

Security ROI Revisited

One of you responded to my No ROI? No Problem post with this question:

Just read your ROI blog, which I found very interesting. ROI is something I've always tried to put my finger on, and you present an interesting approach. Question: Is it not possible to 'make' money with security, or does it still come down to savings? Example:

- A hospital implements a security system that allows doctors to access patient data from anywhere. Now, instead of doing 10 patients a day they can do (and charge) 13 patients a day.

I'm not trying to sharp shoot you in anyway, I'm just trying to better understand the economics.


This is an excellent question. This is exactly the same concept as I stated in my August 2006 post Real Technology ROI. In this case, doctors are more productive at accessing patient data by virtue of a remote access technology. This is like installing radios for faster dispatch in taxis. In both cases security is not causing a productivity gain but security can be reasonably expected as a property of a properly designed technology. In other words, it's the remote access technology that provides a productivity gain, and doctors should expect that remote access to be "secure." In a taxi, the radio technology provides a productivity gain, and drivers should expect that system to be "secure."

I'm sure that's not enough to convince some of you out there. My point is you must identify the activity that increases productivity -- and security will not be it. Don't believe me? Imagine the remote access technology is a marvel of security. It has strong encryption, authorization, authentication, accountability, endpoint control, whatever you could possibly imagine to preserve the CIA triad. Now consider what happens if, for some reason, doctors are less productive using this system. How could that happen? The system is secure! Maybe the doctors all decide to spend tons more time looking at patient records so their "throughput" declines. Who knows -- the point is that security had nothing to do with this result; it's the business activity that increases (or in this example, decreases) that determines ROI.

What does this mean for security projects? They still don't have ROI. However, and this is a source of trouble and opportunities, security projects can be components of productivity enhancing projects that do increase ROI. This is why the Chief Technology Officer (CTO) can actually devise ROI for his/her projects. As a security person, you would probably have more success in budget meetings if you can tie your initiatives to ROI-producing CTO projects.

Wait a minute, some of you are saying. How about this example: if a consumer can choose between two products (one that is "secure" and one that is not), won't choosing the "secure" model mean that security has a ROI, because the company selling the secure version might beat the competition? In this case, remember that the consumer is not buying security; the consumer is buying whatever a product that performs some desired function, and security is an "enabler" (to use a popular term). If the two products are functionally equivalent and the same price, buying the "secure" version is a no-brainer because, even if the risk is exceptionally small, "protecting" against that risk is cost free. If the "secure" version is more expensive, now the consumer has to remember his/her CISSP stuff, like Annualized Rate of Occurrence (ARO) and Single Loss Expectancy (SLE) to devise an Annual Loss Expectancy (ALE), where

ARO * SLE = ALE

You then compare your ALE to the cost differential and decide if it's worth paying the extra amount for the "secure" product.

For those of you who still resist me, it's as simple as this: security is almost always concerned with stopping bad events. When you stop a bad event, you avoid a loss. Loss avoidance means savings, but no business can stay in business purely by saving money. If you don't understand that you will never be able to understand anything else about this subject. You should also not run a business.

The reason why you should pursue projects that save money is that those projects free resources to be diverted to projects with real ROI. Those of you who have studied some economics may see I am getting close to Frédéric Bastiat's Broken Window fallacy, briefly described by Russell Roberts thus:

Bastiat used the example of the a broken window. Repairing the window stimulates the glazier’s pocketbook. But unseen is the loss of whatever would have been done with the money instead of replacing the window. Perhaps the one who lost the window would have bought a pair of shoes. Or invested it in a new business. Or merely enjoyed the peace of mind that comes from having cash on hand.

Spending money on security breaches is repairing a broken window. Spending money to prevent security breaches is like hiring a guard to try to prevent a broken window. In either case, it would have been more productive to be able to invest either amount of money, and a wise investment would have had a positive ROI. This is why we do not spend time breaking and repairing windows for a living in rich economies.

However, like all my posts on this subject, I am not trying to argue against security. I am a security person, obviously. Rather, I am arguing against those who warp security to fit their own agenda or the distorted worldview of their management.

For an alternative way to talk to management about security, I recommend returning to my post Risk-Based Security is the Emperor's New Clothes where I cite Donn Parker.

7 comments:

Roland said...

Correct - VPNs aren't a security technology, they're a traffic engineering technology. They may (and generally should) have security properties such as authentication, encryption, and so forth, but there's nothing about them which merits their near-universal description as being about 'security', per se.

Johann van der Merwe said...

I fully agree with you Richard and am happy that you are addressing this issue. If I can maybe just add to your statement

“The reason why you should pursue projects that save money is that those projects free resources to be diverted to projects with real ROI. “

You make a valid distinction between the concepts of ROI and REAL ROI. One example of a security project where most vendors calculate “ROI” is with the implementation of an identity and access management (IAM) system. They argue that you make an “investment” in the IAM system and will “receive” a return if you save enough money, for example, through a reduction in staff count and/or an increase in productivity (since you can add or remove users faster from multiple systems). What you say is that the term ROI is effectively abused in this context since you will never make money with an IAM system, but maybe save money? Interesting enough is that you are saving money via IAM as a result of inefficiencies introduced by security.

Anonymous said...

Wow -- ARO, SLE, ALE...you must be a believer in the CISSP, huh?

Dr Anton Chuvakin said...

No ROI! http://chuvakin.blogspot.com/2007/07/security-roi-pile-up.html

Andreas Wiegenstein said...

Hello Richard.

Although I really like your blog and understand your chain of arguments, I am still not entirely convinced. Here is an example for security investment that (in my opinion) creates money for a company.

Assume you have three companies: A, B and C that all sell a product of similar quality over the Internet.

While companies B and C put all their money in research to enhance their product, company A is investing the money in the security of their online sales process.

Over time, company B and C get hacked several times and lose reputation. More and more of their irritated customers therefore decide to shop at company A, which has had no security incident. Company A suddenly becomes market leader because of their good security reputation.

It appears that in the long run company A's strategy has paid. The money invested in security has resulted in increased sales. They make more money now, because their security strategy has attracted new customers. The company didn't just prevent losing customers, they actually managed to create new ones.

Where is the avoided loss of money for company A?

Richard Bejtlich said...

Theoretically, that's a good idea. However, in the modern economy people either 1) don't care or don't believe anyone can do anything security breaches; or 2) assume security is standard and don't differentiate on security. As Dan Geer says "No airline advertises how few of their planes crash." For evidence of the former see any of the stories on TJX:

The TJX Effect:

A PARADOX

There's an interesting paradox in the TJX Effect, and it has to do with the company's financial performance. While at least a dozen customers have sued the company for not properly protecting their payment information--the cases are being consolidated into class-action suits and venues are still being chosen--many more are still shopping at its stores.

Financial analysts continue to raise their expectations for the company's stock price, as first-quarter 2008 sales were up about 6% compared with the year-earlier quarter, to $4.1 billion. Net income was down less than 2% from a year ago, to $162.1 million--not bad considering the $20 million charge TJX had to take.

In a February survey of 1,200 debit card holders by Javelin Strategy & Research, three out of four said they wouldn't continue shopping at a merchant where a data breach had occurred, says Mary Monahan, a Javelin analyst, and 84% said they would shop at merchants that said they were security leaders. But the reality seems quite different.

Andreas Wiegenstein said...

Investment in security is not about advertising that you are secure. It's about avoiding press releases stating the opposite and maintaining your good reputation.

To sum it up: an investment in security today is a must to prevent losses.

And depending on market demands, security can generate ROI tomorrow. If and how much is just difficult to predict.