Skip to main content


How Cybercriminals Attack the Internet of Things

The proliferation of the Internet of Things (IoT) devices is transforming entire industries requiring all of us to rely on the products they market.  According to a Gartner analysis, an estimated 20.4 billion IoT devices will be connected by the year 2020. This staggering number is making it far easier than ever for cybercriminals to execute an attack.
Cybercrime as a Business
Today, Cybercrime is a business and is ruthlessly dangerous attacking a wide spectrum of devices from medical, to household thermostats, smart appliances, and every type imaginable connected to the Internet. The illicit business operates around the clock but typically attacks victims during unsuspecting hours. They measure their cost/benefit to mainly generate revenue by selectively attacking them during off-hours. Their tools of choice are custom built and unleashed against a specific class of IoT devices. Malware is commonly acquired online then modified to exploit their victims.

There are many examples such as…

Things to Consider When Calculating the Return on Security Investment

In a world where to make headlines on a daily basis, security has become an urgent priority in every aspect of life, especially business. As a result, calculating the return on investment (ROI) of security solutions is a major challenge for enterprises around the world, across all industries.

Communicating Security’s Impact on the Bottom Line

Some of the most important questions chief information security officers (CISOs) must answer regarding the return on security investment (ROSI) include:

  • How does a business become secure?
  • How much security does the business need?
  • How can business leaders determine whether the investments are reasonable?
  • What is the appropriate amount of financing and time to invest in security?
Executive decision-makers are often indifferent as to whether firewalls or door barricades protect the organization’s servers and data. They just want to know how security impacts the business’ bottom line. The CISO must understand this mindset and communicate the importance of security in business terms. Common questions executives may include:

  • How much could a lack of security potentially cost the business?
  • What effect does security have on current organizational productivity?
  • What is the potential impact of a catastrophic security breach?
  • How would the recommended solutions impact productivity?
  • Are these recommendations the most cost-effective solutions?
The key is to calculate the ROSI not by comparing results from several solutions, but by considering the investment on a risk basis.

Breaking Down the Return on Security Investment Formula

Measuring the probability of a data breach and the associated security risk is a daunting task, and the risk of miscalculation is considerable. This computation is only as good as the analytical efforts that go into the ROSI formula, which must include the cost of the security solution as well as the annual loss derived from risks:

ROSI (%) = (ALE-mALE) – Cost of Solution ÷ Cost of Solution

The components of the ROSI formula quantify the investment’s impact to the bottom line. This metric is critical to gain executive buy-in when presenting the return on investment.
The best way to understand the ROSI formula is to break down its components. Let’s start with the annual loss expectancy (ALE), which is the total financial loss expected from security incidents. This is the control number that demonstrates how much money could be lost without the security investment.

The ALE is calculated by multiplying the annual rate of occurrence (ARO) by the single loss expectancy (SLE). ARO is the probability of a security incident occurring within a year. This is a judgment call by the CISO based on historical incidents. SLE is the total financial loss from a single security incident. This component is based solely on data assets that have value within the organization. It also represents the direct costs of financial loss and the indirect costs associated with data breach fallout.

Finally, modified annual loss expectancy (mALE) is the ALE plus the savings the security solution delivers. This represents the percentage of threats halted by the security solution.
For example, let’s say a security solution has an annual investment of $75,000 to remediate 20 security incidents that resulted in $10,000 in data loss. According to the vendor, the solution will block 95 percent of. This scenario is computed as follows:

ROSI = ((20 x 10,000) x .95 – $75,000) ÷ $75,000
ROSI = 153.3 percent

The formula suggests that the security investment will generate a return of 153.3 percent or about $115,000 annually.

The Role of Security Metrics

Another common method used to determine the effectiveness of security investments is security metrics. These metrics track controls within the security infrastructure, such as antivirus, intrusion prevents system (IPS), firewalls, identity and access management (IAM), data loss prevention (DLP), security information and event management (SIEM), and more. The drawback is that security metrics are based on data collected over a long period of time. Therefore, the return on those security investments is influenced by past events and do not reflect advancements made to keep pace with emerging.

However, security metrics are crucial when it comes to calculating the ARO in the ROSI formula described above. When considering upgrading or implementing new solutions, these metrics allow security leaders to justify security investments in terms that executives can understand.