Skip to main content

Featured

Enhancing Cybersecurity Authentication in Government

The United States is continuously under relentless attack by state and non-state actors in cyberspace. Many believe the U.S. is losing the Cyber War with the staggering number of breaches year after year escalating to new heights.

For example, in 2015 Chinese hackers gained administrator privileges, enabling them to acquire full access to the computers of the U.S. Office of Personnel Management (OPM). Among other things, they were able to download confidential forms that list continuous contacts, including those overseas giving the Chinese communist government a new tool to identify and suppress dissenters. What is worse, federal authorities disclosed in a separate attack that gave Beijing full access to the confidential background-check information on federal employees and private contractors who apply for security clearances. That includes the 4.5 million Americans who currently have access to the country’s top secrets exposing them to blackmail.

Limiting the Damage
Hypothetical ri…

Things to Consider When Calculating the Return on Security Investment


In a world where to make headlines on a daily basis, security has become an urgent priority in every aspect of life, especially business. As a result, calculating the return on investment (ROI) of security solutions is a major challenge for enterprises around the world, across all industries.

Communicating Security’s Impact on the Bottom Line

Some of the most important questions chief information security officers (CISOs) must answer regarding the return on security investment (ROSI) include:

  • How does a business become secure?
  • How much security does the business need?
  • How can business leaders determine whether the investments are reasonable?
  • What is the appropriate amount of financing and time to invest in security?
Executive decision-makers are often indifferent as to whether firewalls or door barricades protect the organization’s servers and data. They just want to know how security impacts the business’ bottom line. The CISO must understand this mindset and communicate the importance of security in business terms. Common questions executives may include:

  • How much could a lack of security potentially cost the business?
  • What effect does security have on current organizational productivity?
  • What is the potential impact of a catastrophic security breach?
  • How would the recommended solutions impact productivity?
  • Are these recommendations the most cost-effective solutions?
The key is to calculate the ROSI not by comparing results from several solutions, but by considering the investment on a risk basis.

Breaking Down the Return on Security Investment Formula

Measuring the probability of a data breach and the associated security risk is a daunting task, and the risk of miscalculation is considerable. This computation is only as good as the analytical efforts that go into the ROSI formula, which must include the cost of the security solution as well as the annual loss derived from risks:

ROSI (%) = (ALE-mALE) – Cost of Solution ÷ Cost of Solution

The components of the ROSI formula quantify the investment’s impact to the bottom line. This metric is critical to gain executive buy-in when presenting the return on investment.
The best way to understand the ROSI formula is to break down its components. Let’s start with the annual loss expectancy (ALE), which is the total financial loss expected from security incidents. This is the control number that demonstrates how much money could be lost without the security investment.

The ALE is calculated by multiplying the annual rate of occurrence (ARO) by the single loss expectancy (SLE). ARO is the probability of a security incident occurring within a year. This is a judgment call by the CISO based on historical incidents. SLE is the total financial loss from a single security incident. This component is based solely on data assets that have value within the organization. It also represents the direct costs of financial loss and the indirect costs associated with data breach fallout.

Finally, modified annual loss expectancy (mALE) is the ALE plus the savings the security solution delivers. This represents the percentage of threats halted by the security solution.
For example, let’s say a security solution has an annual investment of $75,000 to remediate 20 security incidents that resulted in $10,000 in data loss. According to the vendor, the solution will block 95 percent of. This scenario is computed as follows:

ROSI = ((20 x 10,000) x .95 – $75,000) ÷ $75,000
ROSI = 153.3 percent

The formula suggests that the security investment will generate a return of 153.3 percent or about $115,000 annually.

The Role of Security Metrics

Another common method used to determine the effectiveness of security investments is security metrics. These metrics track controls within the security infrastructure, such as antivirus, intrusion prevents system (IPS), firewalls, identity and access management (IAM), data loss prevention (DLP), security information and event management (SIEM), and more. The drawback is that security metrics are based on data collected over a long period of time. Therefore, the return on those security investments is influenced by past events and do not reflect advancements made to keep pace with emerging.

However, security metrics are crucial when it comes to calculating the ARO in the ROSI formula described above. When considering upgrading or implementing new solutions, these metrics allow security leaders to justify security investments in terms that executives can understand.

Comments