|
|
|
||||||||
Vol. 10 No. 5 
May 2007
Determining and Verifying
Security Return on Investment
Critical Questions
Global Software Competitiveness Studies
Sponsored by the
Center for National Software
Studies (CNSS)
http://www.CNsoftware.org
Conducted by Don O’Neill
ONeillDon@aol.com
(301) 990-0377
@Copyright Don O’Neill, 2007, used by the NSC
with permission
Determining and Verifying Security Return on Investment
Business case models provide a basis for rational action to assist understanding, constructing, implementing, verifying, and overseeing the enterprise assurance of software trustworthiness and security [BSI 07-1]. With the dramatic increase in cyberspace incidents and industry and government resistance to funding investment in the high cost of security readiness and survivability, there is a need for a method to reason about and compute security return on investment (ROI).
The availability of a common industry security ROI methodology would deliver numerous benefits. The contributors to security readiness, the costs to achieve security readiness, and the costs to recover from cyberspace incidents would be better understood. The enterprise could reason about its security investment decision with increased precision. The public-private collaboration discussion on who is responsible for paying for security would be better informed. The relationship between levels of security readiness and recovery costs would contribute to the actuarial basis for underwriting cyberspace insurance. The state of security readiness for the nation's critical infrastructure dependent on software could be better assessed.
Security business case claims are arguments for rational action based on business case models. A set of security business claims comprises the enterprise security business proposition. The degree to which a business proposition is met is the degree to which each security business claim is satisfied. Determining and verifying the value of security business case claims is based on the following principles:
1. Business case models are a means to reason about and determine the value of security business case claims.
2. Calculating security return on investment is a method to exercise and verify the value and validity of security business claims stated.
3. Enterprise management makes an explicit commitment to a security business proposition based on verified and validated security business case claims.
4. The enterprise takes the steps necessary to improve its capability maturity for assuring resiliency under stress.
The business case model for determining and verifying security return on investment uses the calculations found on the Build Security In web site in “Calculating Security Return on Investment” [BSI 07-2]. Security return on investment is savings divided by cost. Reasoning about return on investment then is assisted by evaluating the expression [ROI: = Savings/Cost]. Security incidents are made known as they are successfully resisted, as intrusions are recognized, and as impacted capabilities are reconstituted. Savings represent cost avoidance resulting from resistance, recognition, and reconstitution efforts. Cost includes preparation and incident cost. Incident cost is cleanup, lost opportunity, and critical infrastructure impact. CIO's and CSO's are invited to explore their security return on investment by visiting the assessment tool at http://members.aol.com/ONeillDon2/sec-roi_frames.html [SecROI Tool 06].
1. Determining the intended security return on investment involves populating the factors in the ROI#1 expression for calculating the intended security return on investment based on the expected number and distribution of incidents and expected factor values.
ROI #1: = Savings/ Cost where:
Savings: = (Resistance Savings + Recognition Savings + Reconstitution Savings)
Cost: = (Preparation + Cleanup + Lost Opportunity + Critical Infrastructure)
2. Verifying security return on investment involves populating the factors in the ROI#2 expression for calculating both the actual security return on investment and the intended return on investment based on the respective number and distribution of incidents and factor values.
ROI #2: = Savings/ Cost where:
Savings: = (Full Cost Incurred - Cost with Avoidance)
Cost: = (Preparation + Cost with Avoidance)
A factor used in determining security return on investment is a security business case claim. The set of claims comprises the enterprise business security case proposition. The outcome of the business case proposition is demonstrated by the behavior of the ROI#2 calculation.
The full set of outcome states includes:
1. If ROI#2 = 0, then the security business case proposition is met exactly. This occurs when the actual security incidents weighted distribution equals expected security incidents. This enterprise needs to maintain its level of software security assurance maturity in resisting, recognizing, and reconstituting.
2. If ROI#2 > 0, then the security business case proposition is not met. This occurs when actual security incidents weighted distribution exceeds expected security incidents. The enterprise expectation and security readiness are not synchronized with actual events. This enterprise needs to improve its level of software security assurance maturity in resisting, recognizing, and reconstituting.
3. If ROI#2 < 0, then the security business case proposition is exceeded. This occurs when actual security incidents weighted distribution is less than the expected security incidents. This enterprise needs to sustain its level of software security assurance maturity in resisting, recognizing, and reconstituting.
4. If ROI#2 = -ROI#1, then the security business case proposition is exceeded to the maximum. This occurs when actual security incidents weighted distribution is zero. This enterprise needs to retain its high level of software security assurance maturity in resisting, recognizing, and reconstituting.
The enterprise can view success in two ways. One level of success occurs when the expected security incidents equals or exceeds the actual [outcome state 1 and 3]. Here enterprise readiness level planning matches or exceeds reality. A second level of success occurs when the actual number and weighted distribution of security incident incidents and impacts approaches zero [outcome state 4]. The enterprise is not succeeding in its software security assurance initiative when the actual number and weighted distribution of security incidents exceeds expected security incidents [outcome state 2].
Computing security ROI helps answer questions important to the security investment decision. If the expected number of incidents is low, will the security readiness investment be recouped? For an increasing number of cyber attack incidents, what are the minimum factors needed to fully recoup security investment? Is there an equitable scheme for sharing security readiness costs among the project, the enterprise, and the government? What should be the guidelines for public-private collaboration and cost sharing?