Security Is Still Loss Avoidance
One of you (who wishes to remain anonymous) sent me a link to the story Value Made Visible in response to my Real Technology ROI post. Here is the CSO magazine core argument.
[The] Value Protection [Metric] is [Bruce] Larson's attempt to overcome security's classic problem of seeming like nothing but a drain on the business...
The basic Value Protection metric is a ratio that looks like this: Value Protection = Normal Operations Cost ($) – Event Impact ($) / Normal Operations Cost ($)...
Larson's metric just subtracts the cost of security events from the normal cost of doing business, then divides by that same operations cost to get a ratio.
I'm sure that's been published somewhere before, or at least something very similar. I'm too lazy to check those CISSP books I never open.
Here are some examples from the same article:
Whether it's based on actual events or potential futures, the Value Protection ratio gives security officers a real metric to present and it gives executives a simple, clean picture of security investments' relative value. Here are three examples of how it could be used by an organization with a normal operations cost (N) of $1 million:
Example 1. A medium-level virus outbreak costs $70,000 across all operations.
VP = (1,000,000 – 70,000) / 1,000,000 = 0.93
Larson calls a 0.9 ratio "exceptional." A Value Protection ratio of 0.93 probably doesn't require more investment or lowering of event impact, especially if trying to increase the ratio would take away from investment in other areas where Value Protection isn't as strong.
Example 2. An insider fraud attack causes $500,000 in response and recovery costs, lawyers' fees, insurance costs and unrecouped stolen goods.
VP = (1,000,000 – 500,000) / 1,000,000 = 0.5
In rare instances where high risk is tolerable, such as a high-level R&D project, protecting half the value of an investment might be acceptable. But in most cases, value protection of 0.5 is "usually pretty bad," Larson says. And that makes sense: It means your security is a 50/50 proposition.
Example 3. A network vulnerability leads to customers' personal data being stolen, resulting in $1.2 million in damages from response and recovery, lawyers' fees, government fines and other ancillary costs, as well as a significant drop in stock value after negative publicity.
VP = (1,000,000 – 1,200,000) / 1,000,000 = -0.2
Negative ratios are a clear sign that an organization doesn't have the proper information security defenses in place, as it means that security events have or potentially will cost more than operations is spending to stop them. Immediate steps should be taken to fortify the information security controls.
Ok, this is all very interesting. However, it doesn't change the fact that security is still loss avoidance. Mr. Larson is not calculating any return on security investment. His American Water company is not any more productive, in the absence of threats, when he spends money on security.
When threats are present, security helps American Water serve its customers. American Water can't serve any more customers because of security.
One last excerpt: This "VP" is either being nice or he doesn't understand business very well:
"It adds value; we're very supportive of it," says Steve Schmitt, American Water's vice president of operations, of Larson's Value Protection metric.
Sorry Mr Schmitt, but your American Water operations create value. Security spending helps avoid loss of that value.
This is not to say that I oppose security spending. How could I -- I am a security professional! However, I also recognize that security is like insurance. You cannot buy insurance and as a result have your business be more productive or profitable.
[The] Value Protection [Metric] is [Bruce] Larson's attempt to overcome security's classic problem of seeming like nothing but a drain on the business...
The basic Value Protection metric is a ratio that looks like this: Value Protection = Normal Operations Cost ($) – Event Impact ($) / Normal Operations Cost ($)...
Larson's metric just subtracts the cost of security events from the normal cost of doing business, then divides by that same operations cost to get a ratio.
I'm sure that's been published somewhere before, or at least something very similar. I'm too lazy to check those CISSP books I never open.
Here are some examples from the same article:
Whether it's based on actual events or potential futures, the Value Protection ratio gives security officers a real metric to present and it gives executives a simple, clean picture of security investments' relative value. Here are three examples of how it could be used by an organization with a normal operations cost (N) of $1 million:
Example 1. A medium-level virus outbreak costs $70,000 across all operations.
VP = (1,000,000 – 70,000) / 1,000,000 = 0.93
Larson calls a 0.9 ratio "exceptional." A Value Protection ratio of 0.93 probably doesn't require more investment or lowering of event impact, especially if trying to increase the ratio would take away from investment in other areas where Value Protection isn't as strong.
Example 2. An insider fraud attack causes $500,000 in response and recovery costs, lawyers' fees, insurance costs and unrecouped stolen goods.
VP = (1,000,000 – 500,000) / 1,000,000 = 0.5
In rare instances where high risk is tolerable, such as a high-level R&D project, protecting half the value of an investment might be acceptable. But in most cases, value protection of 0.5 is "usually pretty bad," Larson says. And that makes sense: It means your security is a 50/50 proposition.
Example 3. A network vulnerability leads to customers' personal data being stolen, resulting in $1.2 million in damages from response and recovery, lawyers' fees, government fines and other ancillary costs, as well as a significant drop in stock value after negative publicity.
VP = (1,000,000 – 1,200,000) / 1,000,000 = -0.2
Negative ratios are a clear sign that an organization doesn't have the proper information security defenses in place, as it means that security events have or potentially will cost more than operations is spending to stop them. Immediate steps should be taken to fortify the information security controls.
Ok, this is all very interesting. However, it doesn't change the fact that security is still loss avoidance. Mr. Larson is not calculating any return on security investment. His American Water company is not any more productive, in the absence of threats, when he spends money on security.
When threats are present, security helps American Water serve its customers. American Water can't serve any more customers because of security.
One last excerpt: This "VP" is either being nice or he doesn't understand business very well:
"It adds value; we're very supportive of it," says Steve Schmitt, American Water's vice president of operations, of Larson's Value Protection metric.
Sorry Mr Schmitt, but your American Water operations create value. Security spending helps avoid loss of that value.
This is not to say that I oppose security spending. How could I -- I am a security professional! However, I also recognize that security is like insurance. You cannot buy insurance and as a result have your business be more productive or profitable.
Comments
I agree security does not increase effectiveness of the business process which generates income but through availability and trust, it does increase a customer base which in turn generates more revenue.
If I started an online payment system that didn't use encryption I really doubt anyone would use it. If I implemented SSL it wouldn't make my system anymore efficient but I'd bet I could make a good case for ROI on the cost of my certificate. =)
I'm concerned that this doesn't accurately show how each particular countermeasure (or group thereof) compares to what it is protecting. If they take the sum of all security incidents that result in loss, should that plug into this equation and yield .8 or greater? It seems like he is taking the same net operating costs and using that same value to compare against each individual loss value. I'm not sure I buy that...
If I spend XXX amount of money to protect my laptops with encryption, how does that affect my ability to catch an attacker popping my site with an XSS exploit? In this formula, it does affect it...it increases the ratio because my net operating costs increased. By this token, I could spend oodles of money on one particularly vulnerability or vector, and ignore the rest...and still look good on paper.
Like much work with statistics and C-level talk of this nature, so much of it is just feel-good complexity with a lot of fluff and a lot less real value. :)
I really appreciate how you challenge semantics and thinking, Richard. I think it's awesome. And you're mostly right, security spending is risk loss. There are rare moments where you can turn a security operation into a profit-adding endeavor (consulting, selling a script someone built to acocmplish tasks) or you can use that security enhancement as a competitive advantage and as a selling point. Perhaps that will gain a client or two that was asking for that level of security. (I think this latter part happens way more often than it should, which is why security is behind.) Then again, much like statistics, you could argue that you're still avoiding loss, i.e. the loss of the unrealized revenues from that client that didn't join us due to our lack of security. In case I want to get more dizzy, I could just throw in random terms like sunk costs and opportunity costs and I'd sound fluffy now too. ;)
From a business standpoint, I agree security spending should be treated like insurance spending, as risk mitigation.
Hiring pen/extrusion testers is a bit like contracting a building inpsector to certify the physical condition of your warehouse, this certification can be used as a business metric in terms of insurance rates or to demonstrate legal compliance with building codes.
The problem our industry still faces is that without "good" security metrics, its hard to rate security spending in the same way as insurance which is avery well defined business tool and model.