Posted September 5th, 2008 by editor

"Most ROI models that come from security vendors are nonsense."

Writes Bruce Schneier at Computerworld. "ROI as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, we hope, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in the investment context."

However, Schneier continues, preventing loss means increased revenues. The bottom line is "a company should implement only security countermeasures that affect its bottom line positively. It shouldn't spend more on a security problem than the problem is worth. Conversely, it shouldn't ignore problems that are costing it money when there are cheaper mitigation alternatives. A smart company needs to approach security as it would any other business decision: costs versus benefits."

Schneier explains a methodology called annualized loss expectancy (ALE) as a trustworthy and useful method to select those security measures that deliver much value for money. "Calculate the cost of a security incident in both tangibles like time and money, and intangibles like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk. So, for example, if your store has a 10% chance of getting robbed and the cost of being robbed is $10,000, then you should spend $1,000 a year on security. Spend more than that, and you're wasting money. Spend less than that, and you're also wasting money."

"Of course, that $1,000 has to reduce the chance of being robbed to zero in order to be cost-effective. If a security measure cuts the chance of robbery by 40% -- to 6% a year --then you should spend no more than $400 on it. If another security measure reduces it by 80%, that's worth $800. And if two security measures each reduce the chance of being robbed by 50% and one costs $300 and the other $700, the first one is worth it and the second isn't."

Read more here >>>

You are not watching this post, click to start watching

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <br><p>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.