I saw a note on the Patch Management mailing list referring to a blog by Steve Riley asking about Return on Security Investment (ROSI).
A calculation known as “Return on Security Investment” (ROSI) has been popularized over the past few years to describe a way to justify the costs of security functions. The ROSI is basically a “savings” in Value-at-Risk; it comes by reducing the risk associated with losing some dollar value. If the risk of losing $1,000,000 is 10%, then the VaR is $100,000. If that risk can be reduced to 5%, the VaR is $50,000 and the ROSI is $50,000 (typically less the cost of the control investment). None of this will show up on an income statement, though it is possible that an entity could reduce its risk reserves and gain a slight increase in profitability.
The challenge with ROSI is that you need to do two things that are very difficult to do: 1) Quantify the value of what may be lost (i.e. mostly calculate your information asset value but also factoring in costs only associated with losses); and 2) Quantify the likelihood of that loss. Of course, since ROSI is a comparison measure, you have to do that twice - with and without an identified change.
It is extremely rare to find anyone willing to stick their necks out on these two things. Luckily, I am foolish enough to have done both: Check out my past blog post Calculating Information Asset Value for some guidance on number 1. Note, however, that there is typically another step required to figure out how much could be lost (they are actually different, at least from my perspective).
WRT quantifying risk, see Three techniques for measuring information systems risk on searchsecurity.com. This should be a decent starting point.
Note that ROSI was primarily popularized due to the notion that you can't get ROI from security. I believe you can under the following circumstances:
- You agree that you can get a "return" by reducing costs as well as the generally expected case of increasing revenue. (It is reasonable to disagree here, but it must also hold true for all cost centers in the enterprise - HR, Legal, Admin, Finance (usually), etc..)
- You are currently spending money on security. This really has to be true these days - in the most extreme case, the spending may come in the form of incident response and recovery.
- You are not completely efficient. The biggest opportunity for ROI via cost savings is in automating manual processes and "uber" - automating automated processes. Password resets and patch management are two good examples where automation can bring huge gains.
Btw, if you don't want to call it ROI, that is fine - you can perform the same calculations to get to cost/benefit comparisons and TCO differences.
see also: Security: Measuring Up on searchsecurity.com and Still more on ROI in Security.
Placing a trade in the FOREX (foreign exchange) market is really simple. The mechanics of a trade are very similar to those found in other markets (like the stock market), so if you have any experience in trading, you should be able to pick it up pretty quickly.
Posted by: | April 02, 2009 at 09:30 AM
Operating systems are a great help for all industries, I like musho read this type of operating system issues, I wonder if anyone knows about disadvantages of Windows 7, because I am unsure of using it, thanks!
Posted by: buy viagra | April 09, 2010 at 12:02 PM
Placing a trade in the FOREX (foreign exchange) market is really simple. The mechanics of a trade are very similar to those found in other markets (like the stock market), so if you have any
Posted by: runescape accounts | June 11, 2010 at 09:09 AM
Life is a pure flame, and we live by an invisible sun within us.
Posted by: fast easy runescape | July 17, 2010 at 12:21 AM
Hi. Nice to see an honest attempt at presenting some well researched information. Had a nice time reading. Keep up the good work.
I fell in love with the wood tables and wanted them for my school. They are perfect for my needs. When I called they wouldn't give out the name of the manufacturer! Any ideas?
Posted by: viagra online | August 16, 2010 at 01:36 PM