If project sponsors buy into this concept at face value and start talking about security ROI, they risk a damaging disconnect with financial executives in their organization. For these financial executives, ROI means specific and quantified cost savings or revenues gained. In contrast, the "ROI" referenced by many security vendors is based on immature data and un-quantifiable benefits. The expected returns are often calculated based upon the prevention of some hypothetical future events that will have some hypothetical financial implication. The benefits are too hypothetical and contingent for the business to take seriously as an investment justification. For most information security projects, it is just about impossible to predictively quantify a financial ROI. Therefore, IT organizations should react with skepticism to ROI calculators or models from information security vendors that are not substantiated by rigorous primary research.
In many instances, 'What is the return on investment?' is simply the wrong question to ask. Organizations should not consider every expense to be an investment. Many security expenditures are completely valid and necessary and even legally required expenses, but they are not always investments that will produce a quantifiable return. META Group advises security vendors and end-user organizations alike to employ the balanced cost/benefit analysis approach, rather than sensationalizing security risks or overstating the extent to which these projects can be justified based on expected financial returns. This cost/benefit analysis is based on three classes of expected benefits:
1. Instances where financial ROI can indeed be quantified in terms
of cost savings. Examples include automated user administration
or self-help password reset tools, which provide clear productivity
benefits substantiated by sufficient data.
2. Quantifiable risk reduction assessed via a formal risk assessment
methodology (i.e., reduction in aggregate loss exposure).
Examples of risk reduction include a decreased likelihood of
specific types of security breaches.
3. Benefits that are currently un-quantifiable in financial terms but
can be clearly defined in qualitative terms. Examples include
improved integrity of information transported or stored across
the network, or improved capabilities to respond quickly to
security incidents. All such benefits have financial consequences,
but it is difficult to quantify these consequences in advance.
Once these three types of benefits are understood, they should be analyzed in terms of three levels of expected value: ongoing (helps maintain the current state of secure operations), added (enhances current operations), and new (provides new information security capabilities). The expected benefits should also be characterized in terms of their relevance at the corporate level (e.g., improved integrity of information) and individual level (e.g., productivity benefits from single sign-on). It is also essential to perform a risk assessment of the security project itself to identify the potential issues that could put the project at risk and how to mitigate those risks. Although this is "common sense" that should be part of all project plans, ironically many security managers omit this step as they focus on the organization-wide risks that the project is intended to mitigate.
The final component of a balanced cost/benefit approach is, once the project is completed, to measure to what extent the expected benefits were achieved, as well as any unexpected consequences. The results should then be communicated frankly and honestly to the business. The truth is that most security expenditures, like insurance policy premiums, are necessary evils. Rather than generating quantifiable financial dividends, they reduce the risk exposure of the organization to damaging events. For several reasons, however, security vendors and service providers are not able to talk about risk avoidance effectively in their marketing.
Insurance companies are well recognized for delivering specific values on probabilities that they understand well. Software companies are known for extracting every pound they can from pushing their software at customers. They do not have anywhere near the level of credibility that an insurance company has, so they can't use that approach. With insurance, there is an implicit acceptance of the down side within the customer base. The customer understands the need to insure against the possibility of death, car accidents, burglaries, and so on. But with information security, there isn't the same implicit acceptance of the down side, and explicitly focusing on the negative is counterproductive. In addition, there is a history of scare mongering that security people have used in the past to scare up investment, and this has created a backlash at the executive level.
As change rates decline, standards are established, and more actuarial data is gathered, META Group expects additional aspects of information security to become quantifiable in terms of ROI. For example, some U.K. banks are now engaged in a long-term project to gather data about the financial impact of security breaches in their industry. And just last year META Group research helped the industry become capable of calculating an ROI for identify infrastructure. In addition, as information security data being developed by insurance firms improves and the cost of IT insurance policies declines, security managers can meaningfully compare the alternative costs of buying insurance and taking security countermeasures to protect against specific threats.
And finally, security managers should make sure that they provide feedback to the business about the results that are achieved by security projects. This final step is important to establish credibility at the business level for future security project proposals.
Tom Scholtz, vice president at META Group, an acknowledged authority on information security management.