I would like to note two articles on security spending. I learned of the first by listening to the audio edition of The Economist, specifically Anti-terrorist spending: Feel safer now?. The article summarizes a report (Transnational Terrorism, [.pdf]) by The Copenhagen Consensus, a think tank that analyzes government spending. The Economist says:
The authors of the study calculate that worldwide spending on homeland security has risen since 2001 by between $65 billion (if security is narrowly defined) and over $200 billion a year (if one includes the Iraq and Afghan wars). But in either case the benefits are far smaller.
Terrorism, the authors say, has a comparatively small impact on economic activity, reducing GDP in affected countries by perhaps $17 billion in 2005. So although the number of terrorist attacks has fallen, and fewer people have been injured, the imputed economic benefits are limited — just a tenth of the costs.
That does not necessarily mean the extra spending was wasted. The number of attacks might have been even higher. In 2007 Britain's prime minister, Gordon Brown, said his country had disrupted 15 al-Qaeda plots since 2001. Yet so big is counter-terrorism spending and so limited is terrorism's economic impact that, even if 30 attacks like the London bombings of July 2005 were prevented each year, the benefits would still be lower than the costs. The authors conclude that spending is high because it is an insurance policy against a truly devastating operation such as a dirty bomb...
There were fewer terrorist attacks, they say, but the balance of costs and benefits is still poor—between five and eight cents of benefit for every dollar spent. But international co-operation to disrupt terrorist finances would be cost-effective, they think, producing $5-15 of benefits for each $1.
I am not here to debate the politics of the event, and if I get any comments about that I'll just delete them. Rather, I find the effort to perform a cost-benefit analysis to be interesting. I highly prefer a cost-benefit approach (such as that recommended but not capable of being fulfilled in Managing Cyber-Security Resources) instead of so-called "return on security investment." It's fascinating to see a debate about whether spending is justified if "nothing bad happens." If nothing bad happens, was the money wasted or was it effective?
A second study is available via SecureWorks, titled Forrester Total Economic Impact™ of SecureWorks’ SIEM Service. Ok, this is a vendor pitch, but I thought the approach taken by the Forrester researchers to quantify the benefit of security operations could at least be a template for others.
In December 2007, SecureWorks commissioned Forrester Consulting to examine the total economic impact and potential return on investment (ROI) that enterprises might realize from deploying SecureWorks’ Security Information and Event Management (SIEM) Service...
Pacific Gas and Electric Company (PG&E), one of the largest natural gas and electric utilities in the United States, uses SecureWorks’ SIEM Service at the monitoring level for more than 90 systems in its network. In in-depth interviews with PG&E, Forrester found that the organization achieved comprehensive, enterprise-level security monitoring at a lower cost than the alternative of implementing and maintaining an in-house 24x7 Security Operating Center (SOC) and SIEM solution. PG&E also achieved a lower risk of loss due to security breaches, and was better able to track security performance for audits and reporting, thus building credibility for their security program within the organization and with clients. Forrester calculated that PG&E achieved a return on investment (ROI) of 193%, with a nearly immediate payback period.
Ugh, yes I detest "ROI," but check out the whitepaper to see how they justified the security program. You can download it without giving your life details away.