Return on Security Investment (and a little ROI)

I saw a note on the Patch Management mailing list referring to a blog by Steve Riley asking about Return on Security Investment (ROSI).

A calculation known as “Return on Security Investment” (ROSI) has been popularized over the past few years to describe a way to justify the costs of security functions. The ROSI is basically a “savings” in Value-at-Risk; it comes by reducing the risk associated with losing some dollar value. If the risk of losing $1,000,000 is 10%, then the VaR is $100,000. If that risk can be reduced to 5%, the VaR is $50,000 and the ROSI is $50,000 (typically less the cost of the control investment). None of this will show up on an income statement, though it is possible that an entity could reduce its risk reserves and gain a slight increase in profitability.

The challenge with ROSI is that you need to do two things that are very difficult to do: 1) Quantify the value of what may be lost (i.e. mostly calculate your information asset value but also factoring in costs only associated with losses); and 2) Quantify the likelihood of that loss. Of course, since ROSI is a comparison measure, you have to do that twice – with and without an identified change.

It is extremely rare to find anyone willing to stick their necks out on these two things. Luckily, I am foolish enough to have done both: Check out my past blog post Calculating Information Asset Value for some guidance on number 1. Note, however, that there is typically another step required to figure out how much could be lost (they are actually different, at least from my perspective).

WRT quantifying risk, see Three techniques for measuring information systems risk on searchsecurity.com. This should be a decent starting point.

Note that ROSI was primarily popularized due to the notion that you can’t get ROI from security. I believe you can under the following circumstances:

  1. You agree that you can get a "return" by reducing costs as well as the generally expected case of increasing revenue. (It is reasonable to disagree here, but it must also hold true for all cost centers in the enterprise – HR, Legal, Admin, Finance (usually), etc..)
  2. You are currently spending money on security. This really has to be true these days – in the most extreme case, the spending may come in the form of incident response and recovery.
  3. You are not completely efficient. The biggest opportunity for ROI via cost savings is in automating manual processes and "uber" – automating automated processes. Password resets and patch management are two good examples where automation can bring huge gains.

Btw, if you don’t want to call it ROI, that is fine – you can perform the same calculations to get to cost/benefit comparisons and TCO differences.

see also: Security: Measuring Up on searchsecurity.com and Still more on ROI in Security.

3 comments for “Return on Security Investment (and a little ROI)

  1. January 9, 2006 at 9:35 am

    Comments on Pete Lindstrom’s ROSI post

    I’m short on time, but I did want to do a quick post about Pete Lindstrom’s post on ROSI. He makes a
    good point about effieciencies. But there are three ways a company creates value: Reduce
    costs faster than reducing revenue Increase revenues Reduce we…

  2. January 10, 2006 at 12:39 am

    ROSI – Colored Glasses

    Stephen Moore made a comment in Steve Riley’s blog about my ROSI posting:I think your premise that We know when a compromise occurs because it is self-defining is flawed. Let’s say a user’s password is compromised. Certainly we can audit successful and…

  3. Anonymous
    April 2, 2009 at 9:30 am

    Placing a trade in the FOREX (foreign exchange) market is really simple. The mechanics of a trade are very similar to those found in other markets (like the stock market), so if you have any experience in trading, you should be able to pick it up pretty quickly.

Comments are closed.