tag:blogger.com,1999:blog-4088979.post4998191473356994939..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: No ROI? No ProblemRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-4088979.post-75900087225341958742009-06-16T06:42:26.879-04:002009-06-16T06:42:26.879-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-37563463323917696542009-06-02T14:49:55.545-04:002009-06-02T14:49:55.545-04:00This comment has been removed by a blog administrator.Web Tasarımhttps://www.blogger.com/profile/13277340338476159135noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-43570228391472909842009-02-10T03:45:00.000-05:002009-02-10T03:45:00.000-05:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-64450230889181863302008-09-03T10:59:00.000-04:002008-09-03T10:59:00.000-04:00I suspect that the mistake that is being made here...I suspect that the mistake that is being made here is to assume that the word "investment" in ROI has the balance sheet meaning, rather than the mathematical significance. ROI, like its better cousin NPV, is simply a model that deals with numbers for the purpose of <B>comparison</B> of projects. It is not about "making money" or the bottom line, but comparing choices in projects.<BR/><BR/>ROI / NPV quite happily deals with negative numbers like savings and expenses, it's neutral to what the balance sheet says about the resultant money flows. Another way of thinking about it is that there is no return on investment in ROI; there is simply an ability to compare projects based on the same assumptions and inputs.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-85087421070891977062008-04-23T14:04:00.000-04:002008-04-23T14:04:00.000-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-19828588524091377632007-07-22T16:38:00.000-04:002007-07-22T16:38:00.000-04:00You wrote that:As a result, risk assessment is lar...You wrote that:<BR/><BR/><I>As a result, risk assessment is largely guesswork. Guesswork means the savings can be just about anything the security manager chooses to report.</I><BR/><BR/>Please have a look at the Open Source project ORIMOR (http://www.somap.org/repository/). ORIMOR is the short form for "Open Risk Model Repository". We are working on ORIMOR with the intention to solve some of the problems you mention. Assets need to be inventoried and to be valued. What about helping the security officer and put some generic value onto an asset which can then be used in an assessment? We can do the same with Threats. Why not share threat values and likelihood information amongst different organisations? This could lead to an average value which could be better than wild guesses.<BR/><BR/>Somebody said once that the numbers we currently work with are bad but that these are the only ones we have. Lame excuse. It is our goal to start to share risk related data so that we have the chance to create better data.<BR/><BR/>Unfortunately this space is too small for such a big topic. Please drop me a note if you want to discuss further.<BR/><BR/>AdrianAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-71683196711608386362007-07-21T06:05:00.000-04:002007-07-21T06:05:00.000-04:00Right on Richard!!I have literally the same real-w...Right on Richard!!<BR/>I have literally the same real-world experience in regard to sitting in meetings when someone asks about ROI on a security project and the whole project or idea gets almost immediately canned because it is "not a good project because there is no ROI". I got in several debates with colleagues over this and spent a lot of time trying to convince people a particular procedure or softwaare was good security, and I can tell you what Richard says is TRUE - 100%. It is a really frustrating thins that IT people face on a regular basis - especially in regard to security.<BR/>If only I had thought of explaining the difference between wealth preservation and gaining wealth (as Richard did in this post) I would had been successful with my Director CFO, President, etc.. Where was this blog post 4 years ago? :-) Just kidding, but seriously thanks for the great info and persepective Richard!<BR/>-Tyrel<BR/>www.SitesCollide.comAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-73969758765100027722007-07-18T09:05:00.000-04:002007-07-18T09:05:00.000-04:00Dr. Lawrence Gordon said the matter is more compli...Dr. Lawrence Gordon said the matter is more complicated and the InfoSec ROI is possible although there are problems with it.<BR/><BR/><A HREF="http://www.bloginfosec.com/2007/07/18/email-from-dr-lawrence-gordon-security-roi-possible-but-not-optimal-use-other-metrics/" REL="nofollow">http://www.bloginfosec.com/2007/07/18/email-from-dr-lawrence-gordon-security-roi-possible-but-not-optimal-use-other-metrics</A><BR/><BR/>Ken<BR/><A HREF="http://www.bloginfosec.com" REL="nofollow">http://www.bloginfosec.com</A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-7124334662959644272007-07-17T17:22:00.000-04:002007-07-17T17:22:00.000-04:00For those who didn't read Anton's post, he discuss...For those who didn't read Anton's post, he discussed the issue with his wife -- who is a Ph.D. candidate in Economics at Stony Brook University -- and they decided I am right.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-4529537294987272802007-07-17T17:20:00.000-04:002007-07-17T17:20:00.000-04:00Hi Ryan,Again, thanks for reminding me of their wo...Hi Ryan,<BR/><BR/>Again, thanks for reminding me of their work. However, I'm not confusing anything. <BR/><BR/>I recommend reading Anton's <A HREF="http://chuvakin.blogspot.com/2007/07/security-roi-pile-up.html" REL="nofollow">recent post</A>. <BR/><BR/>I'll have more to say about this after I read Gordon and Loeb's book.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-74091060634979782322007-07-17T15:48:00.000-04:002007-07-17T15:48:00.000-04:00Richard,My point is that they are economists and t...Richard,<BR/><BR/>My point is that they are economists and they explicitly <I>don’t</I> agree with you. Gordon’s own home page on the University of Maryland site mentions return on security investments:<BR/><BR/>"In other words, organizations may derive a <B>higher return</B> on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability." - (<A HREF="http://www.rhsmith.umd.edu/faculty/lgordon/Gordon%20Loeb%20Model%20cybersecurity.htm" REL="nofollow">Gordon’s UMD Home Page</A>, emphasis added)<BR/><BR/>Bammkkkk, <BR/><BR/>I’ve read nearly everything Gordon and Loeb have written on the subject (I wrote a paper related to this topic for my masters degree), including the paper you cited above. Gordon’s problem with ROI isn’t that security doesn’t have returns, it’s that ROI is a simplistic calculation that doesn’t account for the time value of money (real financial professionals don't use ROI in general). Gordon recommends net present value (NPV) for weighing security investments, which does account for the time value of money, <I>but also involves a concept of return</I>.<BR/><BR/>I think Richard has an excellent point to make, but I think he has confused the concepts of <I>return</I> and <I>positive cash flow</I>.<BR/><BR/>-Ryan HeffernanRyanhttps://www.blogger.com/profile/11719869178067678240noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-22391944639668789992007-07-16T18:32:00.000-04:002007-07-16T18:32:00.000-04:00Ryan,Funny, the article referenced in my comment a...Ryan,<BR/><BR/>Funny, the article referenced in my comment above was authored by Lawrence Gordon and Robert Richardson. In it, they state that ROI can't be applied perfectly to information security. I expect that means they are more likely to agree with Richard.<BR/><BR/>Bammkkkkbammhttps://www.blogger.com/profile/07473504337505114710noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-91791407010781412112007-07-16T17:36:00.000-04:002007-07-16T17:36:00.000-04:00Ryan,Thanks for reminding me about their book. I ...Ryan,<BR/><BR/>Thanks for reminding me about their book. I have had it on my Amazon.com wish list, so I will have to buy it to see what they say. Assuming they are economists I am pretty sure they actually will agree with me, but I will read the book when I get a copy.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-39521607173206438012007-07-16T15:07:00.000-04:002007-07-16T15:07:00.000-04:00Richard, Interesting post. I understand your poin...Richard, <BR/><BR/>Interesting post. I understand your point, but I'm not sure I agree. I only have a little bit of training in finance, so I certainly don't speak with authority on the subject. That said, I know of some people who do speak with authority who (by my interpretation) disagree with you. Specifically, Lawrence Gordon and Martin Loeb. <BR/><BR/>Gordon and Loeb are both professors of accounting and information assurance at the University of Maryland School of Business. They are also the authors of the most comprehensive work on information security and finance, "<A HREF="http://www.amazon.com/Managing-Cybersecurity-Resources-Cost-Benefit-Mcgraw-Hill/dp/0071452850" REL="nofollow">Managing Cybersecurity Resources</A>." Throughout this work (and many of their papers that have been published in peer-reviewed accounting journals) they extensively discuss information security as something that generates return. Given their PhDs in managerial economics, I doubt they are misusing the term. <BR/><BR/>Your point about security not putting money in a firm's pocket in most cases is well taken; however, my understanding is that you don't have to generate revenue to have return on investment. Return on investment is generated by any capital expenditure that increases the value of the firm. Return on investment is a total value/net worth concept that is distinct from cash flow. Revenue (which security doesn't produce in most cases) is a cash flow concept. <BR/><BR/>Ryan HeffernanRyanhttps://www.blogger.com/profile/11719869178067678240noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-51353060132396953742007-07-16T11:06:00.000-04:002007-07-16T11:06:00.000-04:00The 2004 post titled Calculating Security ROI Is a...The 2004 post titled <B>Calculating Security ROI Is a Waste of Time</B> references a great article <B>The Econimics of Information Security</B>, but the URL is broken. So for those following this discussion, be sure to check out the article <A HREF="http://www.networkcomputing.com/showitem.jhtml?docid=1506f4" REL="nofollow"> here</A>.<BR/><BR/>Bammkkkkbammhttps://www.blogger.com/profile/07473504337505114710noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-43433375114914822862007-07-15T12:25:00.000-04:002007-07-15T12:25:00.000-04:00I have replied to your post here:" REL="nofollow">...I have replied to your post here:<BR/><A HREF="http://www.bloginfosec.com/2007/07/13/bejtlich-and-business-will-it-blend/#comment-1751<br/>" REL="nofollow">http://www.bloginfosec.com/2007/07/13/bejtlich-and-business-will-it-blend/#comment-1751</A><BR/><BR/>Ken<BR/><A HREF="http://www.bloginfosec.com" REL="nofollow">http://www.bloginfosec.com</A>Anonymousnoreply@blogger.com