Friday, December 17, 2004

Ripping Into ROI

In April I wrote Calculating Security ROI Is a Waste of Time. The latest print issue of Information Security magazine features a story by Anne Saita that confirms my judgement:

"If you find executives resisting your security suggestions, try simply removing the term 'ROI' from the conversation.

'ROI is no longer effective terminology to use in most security justifications,' says Paul Proctor, Vp of security and risk strategies for META Group. [Paul is also author of the excellent book Practical Intrusion Detection, where he correctly said 'there is no such thing as a false positive.']

Executives, he says, interpret ROI as 'quantifiable financial return following investment.' Security professionals view it more like an insurance premium. The C-suite is also wary of the numbers security ROI calculators crunch.

'Bottom line is that most executives are frustrated and no longer interested in hearing this type of justification,' Proctor says. Instead, express a technology's or program's business value, cost/benefit analysis and risk assessment."



Anonymous said...

What's lead to this condition? "Bottom line is that most executives are frustrated..." - is this because it's been done wrong for so long?

I see this all the time in my current environment...every month, incredible effort is put into pulling together "metrics" of performance, but most parties involved know that these metrics don't do anything other than put pretty graphs on paper...ROI isn't being demonstrated. GIGO.

As far as "no such thing as a false positive"...that's very interesting. Admittedly, until the past couple of months, I haven't been "in the weeds" in the IDS field, but after having encountered only a few issues, it's clear to me that that's the case.

H. Carvey
"Windows Forensics and Incident Recovery"

Richard Bejtlich said...

Harlan, thanks for your comment. We discussed "security ROI" quite a bit at CanSecWest '04 and I've chatted via email with Thomas Ptacek about this. In my view, 90% or more of security should be treated like insurance. You buy insurance as a risk transference method when faced with the prospect of loss. Very rarely does security ever provide a "return on investment." The 10% of cases I could imagine would involve increasing the trust of a customer and thereby encouraging new business. A second scenario would be implementing security to meet requirements to do business. Notice that these two cases, especially the latter (in the form of regulatory requirements), are driving security programs in many companies.

Business people see an investment as the application of resources to a project. A positive return on investment occurs when the financial gain from that application of resources exceeds that of the resources applied, adjusting for the time value of money. A good return on investment occurs when the financial gain exceeds that of other projects with similar risks.

About Paul Proctor's comments: I recommend reading pages 108-111 of his book "Practical Intrusion Detection." He lists "myth #2" as "the false positive myth." He writes "There is no such thing as a false positive in an operational environment because, unless caused by a poorly written signature, every alarm has value. It's just that every alarm does not require your full attention. Poorly written signatures are not false positives; they are system failures and should be treated as such."

I totally agree with this perspective. If someone writes a signature to generate an alert every time an IDS sees "cmd.exe", it is not the fault of the IDS when it reports what it sees. The fault lies with the signature writer. I agree that IDS vendors who write poor signatures are partly to blame, especially if users cannot tune these signatures. (That's why I like Snort and Sourcefire so much -- I can make the detection engine act as I see fit.) Layer 7 firewalls (aka "intrusion prevention systems") are forced to operate with much smaller numbers of rules because their blocking decisions have much higher consequences compared to passive IDSs.

Anonymous said...

Hi - I think you can get ROI from security if you are not completely efficient or completely effective in your operations (which nobody is that I am aware of). More at

In addition, it seems to be a common refrain these days to suggest that security is about insurance. I think this is incorrect. Security is about reducing risk to a level that you can accept. Insurance is what you to do as a hedge against that residual risk. Your health and your car are two good comparison models in this respect.

Security and insurance are complementary - that is why an environment with (qualitatively) less security pays more in insurance, and vice versa.