SlideShare a Scribd company logo

An Evaluation of Investment Models within Information Security

T
Todd Nelson

Information Security Research Paper: Traditional financial models utilized commonly in business today, such as Net Present Value (NPV), Internal Rate of Return (IRR) and Return on Investment (ROI) tend to break down, and become less effective, when it comes to Information Security. This is due, in part, to the function of security, as well as, difficulties quantifying expected loss (cost) and a lack of positive cash flows. To address this, I reviewed the current literature and present several models to help further the Information Security Manager. (Part of Ongoing Research)

Education
1 of 11
2016 An Evaluation of Investment Models within Information Security A LITERATURE REVIEW TODD E. NELSON
Page 1 of 10 Abstract This research conducts a systematic review of the literature to address the pressing need of Information Security Managers to create a persuasive business case when evaluating investments within Information Security. To date, there is yet to be a consensus within academia, and practioners, on a “best practice” model or standard. As such, business managers find themselves relying upon traditional financial models that fail to translate to Information Security due, in part, to the function of security and the difficulty in assessing the probabilities of expected loss. Given this, when considering investing within Information Security, managers may over or under invest leading to wastefulness of corporate resources and potentially a drop in share price. To address this, we reviewed the literature to show four models that may help to serve the needs of the investing executive within the firm. Introduction Research is abundant, with respect to Information Security, when it comes to technology (ie; encryption, access controls, etc). However, the same cannot be said about the financial or economic value of investments within Information Security in organizations. Although the literature is increasing, traditional financial models utilized by business managers to make investment decisions, such as Net Present Value or IRR, break down or do not easily translate when applied to Information Security. (Bashroush, 2016) In a general sense, managers look at the present value of future cash flows to determine if an investment brings value to the organization and shareholders. However, investment decisions within Information Security rarely, if ever, provide positive cash flows, resulting in a negative NPV or a grotesque hurdle rate (IRR). Indeed, the lack of a tangible return on investment, is due to the function of Information Security. That is, investments in security aim to reduce or mitigate the risk of an expected loss (costs) to valuable information within an organization. Security is at its best, when nothing happens. Therefore, the more successful an Information Security strategy behaves, the more difficult it is to measure the tangible benefits. (Bashroush, 2016) Moreover, most currently available models addressing investment decisions, rely heavily on qualitative data, or expert opinion, within an ordinal scale to subjectively discern the expected loss of an attack, and the uncertainty or probability of one occurring. Such methods, open the door to cognitive bias and therefore, inevitably distort the intended findings.
Page 2 of 10 The result, is a lack of understanding by most decision-makers, when it comes to adequate Information Security, leading to over or under investment within the organization. Needlessly wasting constrained, scarce resources, which could result in a reduced share price. To address this issue, a survey of the available literature was conducted with the intent to provide guidance to both business managers and Information Security practitioners alike, by offering an overview of the latest research. While certainly not exhaustive, the following financial models attempt to provide a framework with which business managers can augment qualitative data with quantitative data to improve upon the decision-making process. Research Method While pursuing the objectives of this study, a systematic review of the given literature was initiated through Google Scholar, EBSCO Host, Proquest, Elsevier, Science Direct, Springer and IEEE Xplore. The chosen keywords were as follows: Filtering of the results was then applied. I restricted the results of the research from 2000 to 2016.The following evaluation criteria was then considered. Benefits: Costs: (con’t) Output: (con’t) - Financial - Opportunity - Quantitative - Non-Financial - Sunk Budget Type: Costs: Input: - Constrained - Recurring - Qualitative - Unconstrained - Non-Recurring - Quantitative Investment Approach: - Variable Output: - One Time Investment - Fixed - Qualitative - Split Investment Research Findings While the topic of investment strategies within Information Security has gained increasing attention within the last several years, there is yet to be an agreed upon consensus concerning which method is best. Therefore, based on the literature, we look at several different quantitative models currently available. Those models include: Gordon-Loeb Model, Sonnerreich Model, Cremonini Model and the Bojanc, Blazic and Tekavcic Model. Keywords: Information Security, Investment, Framework, Cybersecurity, Return on Security Investment, Return on Attack, Economics, InfoSec, Budget Constraints, Constrained Optimization, Investment Models, Return on Investment, Net Present Value, IRR
Page 3 of 10 Gordon-Loeb Model In their seminal work, Gordon and Loeb, arguably the most recognized scholars with respect to information security investment analysis, or more accurately, information security economics, determine the optimal amount to invest in a security measure to mitigate a vulnerability. Their research shows that “for a given potential expected loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with mid-range vulnerabilities.” (Loeb, 2002) The model is predicated on the following assumptions: “A1. S(z,0)=0 for all of z - That is, if the information set is completely invulnerable then it will remain perfectly protected for any amount of information security investment, including a zero investment. A2. For all v, S(0,v)=v – That is, if there is no investment in information security, the probability of a security breach, conditioned on the realization of a threat, is the information set’s inherent vulnerability. A3. For all v ϵ (0,1) and all z, Sz(z,v0) < 0 and Szz(z,v) > 0, where Sz denotes the partial derivative with respect to z and Szz denotes the partial derivative of Sz with respect to z. That is, as the investment in security increases, the information is made more secure, but at a decreasing rate. A4. For all v ϵ (0,1), lim S9z,v)  0, as z  ∞ - so by investing sufficiently in security, the probability of a security breach, t times S(z,v) can be made arbitrarily close to zero. “ (Loeb, 2002) Therefore, to the extent that the above assumptions are accurate, the literature shows that the “expected net benefit is equal to the expected benefit minus the cost of investment reduction in expected loss due to security.” (Loeb, 2002) That is to say that a rational investor, should only invest up to the point where the marginal benefit equals the marginal cost. It further goes on to show that when vulnerabilities are factored in, the maximum or optimal amount that should be spent equals 37% of the expected loss that would be present should one not invest in the particular security measure, given “two broad classes of information security breach probability functions.” (Loeb, 2002) Finally, while the optimum level shown in the research should not exceed 37 percent, it needs to be noted that the Gordon-Loeb model predicates their findings upon the assumption that only two probability distributions exist. Given this, the model begs the question, of whether or not more than 2 probability distributions exist in nature, and therefore, do not efficiently model the level of security needed in the “wild.”
Page 4 of 10 Furthermore, in order to draw their conclusions, Gordon and Loeb, assumed that fixed cost within Information Security equals zero. An assumption that invites criticism, considering that fixed costs can be defined as “expenses that remain (must be paid) unchanged as the volume of activity (productivity) changes. (Lanen, 2011) Sonnenreich Model In 2005, writing in the Journal of Research and Practice in Information Technology, Sonnenreich, Albanese and Stout, produced a model called the SecureMark system, or better known as, the Return on Security Investment (ROSI). In their research, the authors describe the model mathematically as follows: (Sonnerrich, 2006) ROSI = (Risk Exposure * Risk Mitigated) – Solution Cost Solution Cost As stated earlier, measuring expected return within Information Security, is difficult at best or glorified guesswork at worst. The ROSI model seeks to address this by replacing Expected Returns, within a classic Return on Investment (ROI) calculation with (Risk Exposure*Risk Mitigated) within ROSI. To quantify risk exposure, the model looks at “Annual Loss Exposure (ALE) which multiplies the projected cost of a security incident (Single Loss Exposure – SLE) with its estimated annual rate of occurrence (ARO).” (Sonnerrich, 2006) 𝑅𝑖𝑠𝑘 𝐸𝑥𝑝𝑜𝑠𝑢𝑟𝑒 = 𝐴𝐿𝐸 = 𝑆𝐿𝐸 ∗ 𝐴𝑅𝑂 Measuring risk exposure, while relatively simple in mathematical terms, becomes extremely difficult in practice. The reasons for this are many. However, differing accounting methods, varying measurements of data loss within different industries and miscalculations of data such as downtime and opportunity costs give examples of a few. Ideally, actuarial data should be used to measure risk exposure. Unfortunately, with respect to Information Security, this data is in its early stages and does not have a lot of voracity behind it. Quantifying risk mitigated is no less precarious than measuring risk exposure above. As stated earlier, Information Security is at its best when nothing occurs. As such, how do you measure a loss that is prevented? For example, “a company’s intrusion detection systemmight show that there were 10 successful break-ins last year, but only five this year. Was it due to the new
Page 5 of 10 security device the company bought, or was it because five less hackers attacked the network?” (Sonnerrich, 2006) As we have seen, while the model attempts to quantify an investment in Information Security’s return on income, differing organizational corporate structures pose problems in standardizing, or arriving at a consensus, with respect to the models outcomes. Moreover, should an organization make investments in security over a given time frame, the ROSI model ignores the time value of money, while also disregarding opportunity cost and real options. All three of which can impact a bottom line. Cremonini and Martini Model As a derivative of Return on Investment (ROI), the Cremonini Model, argues that while ROI allows a prospective manager to assess whether or not a particular investment will yield a positive return. Return on investment, as a criteria alone, does not allow one to accurately compare two mutually exclusive projects both yielding a positive ROI. In part, this is due because ROI fails to measure the “disadvantages that differing security measures provide to the attackers.” That is, that ROI alone, cannot capture the efficacy of the two security measures being compared. (Martini, 2005) To address this, and attempt to seize upon a security measures efficacy, Cremonini and Martini, introduced Return on Attack (ROA). The ROA is an “index which reflects the average and supposed impact of a security solution on an attacker’s behavior.” The goal of which is to improve upon the commonly used ROI measure, by identifying (through ROA) the security measure that most discourages the attacker from initiating an attack. (Martini, 2005) Return on Attack is then, further mathematically stated and represented as follows: (where S= security measure.) (Martini, 2005) 𝑅𝑂𝐴 = 𝑔𝑎𝑖𝑛 𝑓𝑟𝑜𝑚 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑓𝑢𝑙 𝑎𝑡𝑡𝑎𝑐𝑘 𝑐𝑜𝑠𝑡 𝑏𝑒𝑓𝑜𝑟𝑒 𝑆 + 𝑙𝑜𝑠𝑠 𝑐𝑎𝑢𝑠𝑒𝑑 𝑏𝑦 𝑆 An additional benefit of ROA, as noted in the literature, is its ability to quantify “modifications in the environment”. That is to say, how the initial ROI calculation, given a particular security solution, at time T, changes with respect to modifications in the environment at time T1. It can be shown that the ROI, of a given investment, changes with the passage of time and environmental alterations. However, ROI as a metric alone, cannot capture these changes and assumes a constant relationship. (Martini, 2005)
Page 6 of 10 Therefore, an investments value to the organization can change over time, to the point that it is no longer an attractive proposition. Moreover, traditional financial models fail to realize these iterations, leading to miscalculations when deciding on a projects investment. Although despite the above referenced value-added gains, ROA as a metric, does have drawbacks. Those include a lack of consideration for investments over time, with respect to the output of Return on Investment. That is, where ROA may capture depreciation in the efficacy of a security measure over time, there is no consideration given to an investment approach that occurs over time. Such that the time value of money is recognized. Additionally, as with other models, no mention of budget constraints are given. It is therefore reasoned that the model assumes an un-constrained budget. At best, an impractical assumption given a typical organization. Bojanc-Blazic and Tekavcic Model The Bojanc-Blazic and Tekavcic Model was found in two differing journals, both of which were published in November of 2012. The outputs are measured in Return on Investment (ROI), Net Present Value (NPV) and Internal Rate of Return (IRR). All of which should be easily understood by the business manager, accelerating the project investment decision time. While focusing on the quantification of security risks, the model also seeks “to find an optimal level and selection of the security technology investment.” (Bojanc J.-B. , 2012) With considerable more inputs, the model is intended to serve as a procedure, a “guideline” leading the organization from initial input to the final recommendation. It begins by attempting to quantify the risk assessment, where the goal is to “determine and evaluate every vulnerability as based on business processes, supported by information assets.” (Bojanc J.-B. , 2012) The risk assessment is defined as follows, where the model attempts to quantify the complex relationships between risk, vulnerabilities, threats and security measures for every information asset that is a part of the defined business process listed above. (Bojanc J.-B. T., 2012, pp. 1031- 1052) 𝑅 = 𝑇 · 𝑣𝛼𝑝𝐶𝑝 + 1[𝐿1 · 𝑡𝑟0 · 𝑒 − 𝛼𝑐𝐶𝑐 + 𝐿2 · 𝑡𝑑0 · 𝑒 − 𝛼𝑑𝐶𝑑 + 𝐿3 − 𝐼] Next the Bojanc, Blazic and Tekavcic Model seeks to determine the optimal amount that should be invested by an organization to secure the organization’s information assets. In doing so, it attempts to combine the uncertainty surrounding the organizations threats, vulnerabilities, the consequences of an attack and the efficiency measures currently in place. The objective is to invest in information security up to the point where the marginal benefit equals the marginal cost. That is to say, where the benefit of an additional unit of security equals the cost an additional unit of security. (Bojanc J.-B. T., 2012)
Page 7 of 10 The model attempts to conduct a cost/benefit analysis. However, as mentioned in the previous models, while the costs can be fairly straightforward to calculate. The organizational benefits, on the other hand, can prove to be rather difficult. The benefits gained due to the investment are nonetheless quantified as follows: (Bojanc J.-B. T., 2012) B = R0 − R(C)− δ + μ Where R0 is the security risk prior to a security measure, R(C) is the risk valued after the security measure is implemented, δ measures the negative consequences that are brought about by conducting the security measure. That is, for example, a loss of some user functionality, downtime or loss of productivity in general. Finally, μ measures the indirect positive effect of a security measure. (Bojanc J.-B. T., 2012) To close, the model addresses the economic value produced by the investment in the particular security measure. As mentioned prior in this section, the Bojanc, Blazic and Tekavcic model allows for comparison between three traditional business metrics utilized when assessing the voracity of an investment. Those are Net Present Value (NPV), Return on Investment (ROI) and Internal Rate of Return (IRR). When evaluating mutually exclusive projects, it is advised in the literature, to base your determination on the organizational scenario while evaluating all three. This is due in part, because the different metrics can point to different optimal solutions. For example, if a manager was attempting to determine the value of an investment over time, then NPV would be the recommended criteria, as it factors in the time value of money. (Bojanc J.-B. T., 2012) The choice should be the investment that produces the highest NPV, ROI and IRR. However, frequently, the three economic metrics will produce three different criteria. That is to say, in any particular analysis, ROI may point to one investment, while NPV and IRR point to others. In these cases, the literature addresses the reader to conduct a comparative analysis. The analytical formula for conducting a comparative analysis within ROI is as follows: (The formulas for NPV and IRR are similar) (Bojanc J.-B. , 2012) 𝑅𝑂𝐼 = 𝑇 · 𝑣(1 − 𝑣𝛼𝑝𝐶𝑝)· 𝐿 − 𝛿 + 𝜇 − 𝐶𝑝 𝐶𝑝 (Summary of findings on next page)
Page 8 of 10 Summary of Findings Evaluation Criteria Gordon- Loeb Sonnenreich Cremonini Bojanic Costs: - Fixed x ✔ ✔ ✔ - Variable ✔ ✔ ✔ ✔ - Opportunity x x x x - Sunk x ✔ x x - Recurring x x x x - Non-Recurring ✔ ✔ ✔ ✔ Benefits: - Financial ✔ ✔ ✔ ✔ - Non-Financial x x x ✔ Inputs: - Quantitative ✔ ✔ ✔ ✔ - Qualitative x x x ✔ Outputs: - Quantitative ✔ ✔ ✔ ✔ - Qualitative x x x x Budget Type - Constrained x x x x - Unconstrained ✔ ✔ ✔ ✔ Investment Approach - One time Invest. ✔ ✔ ✔ ✔ - Split Invest x x x ✔ Conclusions In conclusion, my research conducted a systematic review of the literature to address the question of appropriate financial analysis utilized by business managers when considering investing in Information Security. While not exhaustive, it shows that there is yet to be a consensus in academia upon a standardized methodology to make investment related decisions with respect to Information Security.
Page 9 of 10 The function of security to mitigate loss exposure, as well as, the difficulty in accurately assessing the probabilities of loss, lead to the break-down of traditional financial formulas utilized in business investment decision-making. My research shows four models that can begin to address the needs of the business manager. While the research was not exhaustive, limited in part, by search constraints and scope, the evaluation criteria was decided upon to give a broad sense of current models proposed in the available literature. Additionally, each model certainly contains its own weaknesses. For example, some models take into consideration an attackers point of view, while others look only at a static or one-time investment. However, I was unable to find any information that precludes a decision-maker from extracting parts of one model to include in others. That is to say, that if a business manager is needing to invest over time, NPV may be an appropriate measure. However, he may also wish to add to that ROA to better refine his decision making. Future research, into the topic, is to include an expansion of this beginning body of evidence, while seeking to understand the impact of other domains, such as Game Theory, to better understand how Return on Attack or ROA may help future InfoSec managers investment analysis.
Page 10 of 10 References Bashroush,S.a. (2016). EconomicEvaluationforInformationSecurityInvestment:A systematic literature review. Information SystemsFrontiers,1-24. Bojanc,J.-B.(2012). Quantitative Model forEconomicAnalysesof Information SecurityInvestmentinan Enterprise InformationSystem. Organizacija - Volume45, 12. Bojanc,J.-B.T. (2012). Managingthe InvestmentinInformationSecurityTechnologybyuse of a Quantitative Modeling. Information Processing and Management,21. Lanen, A.M. (2011). Fundamentalsof CostAccounting. McGraw Hill. Loeb,G. a. (2002). The Economicsof InformationSecurityInvestment. ACMTransactionson Information SystemSecurity,438-457. Martini,C. a. (2005). Evaluatinginformationsecurityinvestmentsfromattackers,perspective:The Returnon Attack(ROA). Proceedingsof thefourth workshop on theeconomicsof security. Pandey.(2015). "Contex,Content,Process"ApproachtoAlignInformationSecurityInvestmentsWith Overall Organizational Strategy. InternationalJournalof Security,Privacy and Trust Management,25-38. Sonnerrich,A.S.(2006). ReturnonSecurityInvestment - A Practical Quantitiative Model. Journalof Research and Practice in Information Technology,45-56.

Recommended

Ch11 slides
Ch11 slidesCh11 slides
Ch11 slidesfentaw leykun
 
Mba2216 week 11 data analysis part 01
Mba2216 week 11 data analysis part 01Mba2216 week 11 data analysis part 01
Mba2216 week 11 data analysis part 01Stephen Ong
 
Binomial probability distribution
Binomial probability distributionBinomial probability distribution
Binomial probability distributionNadeem Uddin
 
Monte Carlo Simulation - Paul wilmott
Monte Carlo Simulation - Paul wilmottMonte Carlo Simulation - Paul wilmott
Monte Carlo Simulation - Paul wilmottAguinaldo Flor
 
Covariance and correlation(Dereje JIMA)
Covariance and correlation(Dereje JIMA)Covariance and correlation(Dereje JIMA)
Covariance and correlation(Dereje JIMA)Dereje Jima
 
Lecture: Joint, Conditional and Marginal Probabilities
Lecture: Joint, Conditional and Marginal Probabilities Lecture: Joint, Conditional and Marginal Probabilities
Lecture: Joint, Conditional and Marginal Probabilities Marina Santini
 
Chapter 11
Chapter 11 Chapter 11
Chapter 11 Tuul Tuul
 
hedging risk and exposure
hedging risk and exposure hedging risk and exposure
hedging risk and exposure deepak gupta
 

Recommended

Ch11 slides
Ch11 slidesCh11 slides
Ch11 slidesfentaw leykun
 
Mba2216 week 11 data analysis part 01
Mba2216 week 11 data analysis part 01Mba2216 week 11 data analysis part 01
Mba2216 week 11 data analysis part 01Stephen Ong
 
Binomial probability distribution
Binomial probability distributionBinomial probability distribution
Binomial probability distributionNadeem Uddin
 
Monte Carlo Simulation - Paul wilmott
Monte Carlo Simulation - Paul wilmottMonte Carlo Simulation - Paul wilmott
Monte Carlo Simulation - Paul wilmottAguinaldo Flor
 
Covariance and correlation(Dereje JIMA)
Covariance and correlation(Dereje JIMA)Covariance and correlation(Dereje JIMA)
Covariance and correlation(Dereje JIMA)Dereje Jima
 
Lecture: Joint, Conditional and Marginal Probabilities
Lecture: Joint, Conditional and Marginal Probabilities Lecture: Joint, Conditional and Marginal Probabilities
Lecture: Joint, Conditional and Marginal Probabilities Marina Santini
 
Chapter 11
Chapter 11 Chapter 11
Chapter 11 Tuul Tuul
 
hedging risk and exposure
hedging risk and exposure hedging risk and exposure
hedging risk and exposure deepak gupta
 
CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...
CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...
CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...ijsptm
 
Eco secu infocom
Eco secu infocomEco secu infocom
Eco secu infocom92pawansingh
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...Mighty Guides, Inc.
 
Security risk
Security riskSecurity risk
Security riskRandy Tamoria
 
Relative risk benchmarking enabling better decision making for managing infor...
Relative risk benchmarking enabling better decision making for managing infor...Relative risk benchmarking enabling better decision making for managing infor...
Relative risk benchmarking enabling better decision making for managing infor...IAEME Publication
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
Dissertation - Cyber Security
Dissertation - Cyber Security Dissertation - Cyber Security
Dissertation - Cyber Security Alysha Paulsen
 
Security from Compliance or Compliance from Security?--Metrics are the key
Security from Compliance or Compliance from Security?--Metrics are the keySecurity from Compliance or Compliance from Security?--Metrics are the key
Security from Compliance or Compliance from Security?--Metrics are the keyAlan Covell
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Peer Risk Model for Cyber Security Risk
Peer Risk Model for Cyber Security RiskPeer Risk Model for Cyber Security Risk
Peer Risk Model for Cyber Security RiskThomas Lee
 
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Mighty Guides, Inc.
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016Tim Grieveson
 
Contents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of AccounContents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of AccounAlleneMcclendon878
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityCarbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityMighty Guides, Inc.
 
Justifying Security Investment
Justifying Security InvestmentJustifying Security Investment
Justifying Security InvestmentJojo Colina
 
Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Rastislav Turek
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxsocialsciencegdgrohi
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 

More Related Content

Similar to An Evaluation of Investment Models within Information Security

CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...
CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...
CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...ijsptm
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...Mighty Guides, Inc.
 
Relative risk benchmarking enabling better decision making for managing infor...
Relative risk benchmarking enabling better decision making for managing infor...Relative risk benchmarking enabling better decision making for managing infor...
Relative risk benchmarking enabling better decision making for managing infor...IAEME Publication
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
Dissertation - Cyber Security
Dissertation - Cyber Security Dissertation - Cyber Security
Dissertation - Cyber Security Alysha Paulsen
 
Security from Compliance or Compliance from Security?--Metrics are the key
Security from Compliance or Compliance from Security?--Metrics are the keySecurity from Compliance or Compliance from Security?--Metrics are the key
Security from Compliance or Compliance from Security?--Metrics are the keyAlan Covell
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Peer Risk Model for Cyber Security Risk
Peer Risk Model for Cyber Security RiskPeer Risk Model for Cyber Security Risk
Peer Risk Model for Cyber Security RiskThomas Lee
 
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Mighty Guides, Inc.
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016Tim Grieveson
 
Contents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of AccounContents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of AccounAlleneMcclendon878
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityCarbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityMighty Guides, Inc.
 
Justifying Security Investment
Justifying Security InvestmentJustifying Security Investment
Justifying Security InvestmentJojo Colina
 
Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Rastislav Turek
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 

Similar to An Evaluation of Investment Models within Information Security (20)

CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...
CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...
CONTEXT, CONTENT, PROCESS” APPROACH TO ALIGN INFORMATION SECURITY INVESTMENTS...
 
Eco secu infocom
Eco secu infocomEco secu infocom
Eco secu infocom
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
 
Security risk
Security riskSecurity risk
Security risk
 
Relative risk benchmarking enabling better decision making for managing infor...
Relative risk benchmarking enabling better decision making for managing infor...Relative risk benchmarking enabling better decision making for managing infor...
Relative risk benchmarking enabling better decision making for managing infor...
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security Investment
 
Dissertation - Cyber Security
Dissertation - Cyber Security Dissertation - Cyber Security
Dissertation - Cyber Security
 
Security from Compliance or Compliance from Security?--Metrics are the key
Security from Compliance or Compliance from Security?--Metrics are the keySecurity from Compliance or Compliance from Security?--Metrics are the key
Security from Compliance or Compliance from Security?--Metrics are the key
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Peer Risk Model for Cyber Security Risk
Peer Risk Model for Cyber Security RiskPeer Risk Model for Cyber Security Risk
Peer Risk Model for Cyber Security Risk
 
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
 
Contents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of AccounContents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of Accoun
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
 
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityCarbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint Security
 
Justifying Security Investment
Justifying Security InvestmentJustifying Security Investment
Justifying Security Investment
 
Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
 

Recently uploaded

History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxsocialsciencegdgrohi
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Blooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxBlooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxUnboundStockton
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,Virag Sontakke
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerunnathinaik
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 

Recently uploaded (20)

History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Blooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxBlooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docx
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developer
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 

An Evaluation of Investment Models within Information Security

  • 1. 2016 An Evaluation of Investment Models within Information Security A LITERATURE REVIEW TODD E. NELSON
  • 2. Page 1 of 10 Abstract This research conducts a systematic review of the literature to address the pressing need of Information Security Managers to create a persuasive business case when evaluating investments within Information Security. To date, there is yet to be a consensus within academia, and practioners, on a “best practice” model or standard. As such, business managers find themselves relying upon traditional financial models that fail to translate to Information Security due, in part, to the function of security and the difficulty in assessing the probabilities of expected loss. Given this, when considering investing within Information Security, managers may over or under invest leading to wastefulness of corporate resources and potentially a drop in share price. To address this, we reviewed the literature to show four models that may help to serve the needs of the investing executive within the firm. Introduction Research is abundant, with respect to Information Security, when it comes to technology (ie; encryption, access controls, etc). However, the same cannot be said about the financial or economic value of investments within Information Security in organizations. Although the literature is increasing, traditional financial models utilized by business managers to make investment decisions, such as Net Present Value or IRR, break down or do not easily translate when applied to Information Security. (Bashroush, 2016) In a general sense, managers look at the present value of future cash flows to determine if an investment brings value to the organization and shareholders. However, investment decisions within Information Security rarely, if ever, provide positive cash flows, resulting in a negative NPV or a grotesque hurdle rate (IRR). Indeed, the lack of a tangible return on investment, is due to the function of Information Security. That is, investments in security aim to reduce or mitigate the risk of an expected loss (costs) to valuable information within an organization. Security is at its best, when nothing happens. Therefore, the more successful an Information Security strategy behaves, the more difficult it is to measure the tangible benefits. (Bashroush, 2016) Moreover, most currently available models addressing investment decisions, rely heavily on qualitative data, or expert opinion, within an ordinal scale to subjectively discern the expected loss of an attack, and the uncertainty or probability of one occurring. Such methods, open the door to cognitive bias and therefore, inevitably distort the intended findings.
  • 3. Page 2 of 10 The result, is a lack of understanding by most decision-makers, when it comes to adequate Information Security, leading to over or under investment within the organization. Needlessly wasting constrained, scarce resources, which could result in a reduced share price. To address this issue, a survey of the available literature was conducted with the intent to provide guidance to both business managers and Information Security practitioners alike, by offering an overview of the latest research. While certainly not exhaustive, the following financial models attempt to provide a framework with which business managers can augment qualitative data with quantitative data to improve upon the decision-making process. Research Method While pursuing the objectives of this study, a systematic review of the given literature was initiated through Google Scholar, EBSCO Host, Proquest, Elsevier, Science Direct, Springer and IEEE Xplore. The chosen keywords were as follows: Filtering of the results was then applied. I restricted the results of the research from 2000 to 2016.The following evaluation criteria was then considered. Benefits: Costs: (con’t) Output: (con’t) - Financial - Opportunity - Quantitative - Non-Financial - Sunk Budget Type: Costs: Input: - Constrained - Recurring - Qualitative - Unconstrained - Non-Recurring - Quantitative Investment Approach: - Variable Output: - One Time Investment - Fixed - Qualitative - Split Investment Research Findings While the topic of investment strategies within Information Security has gained increasing attention within the last several years, there is yet to be an agreed upon consensus concerning which method is best. Therefore, based on the literature, we look at several different quantitative models currently available. Those models include: Gordon-Loeb Model, Sonnerreich Model, Cremonini Model and the Bojanc, Blazic and Tekavcic Model. Keywords: Information Security, Investment, Framework, Cybersecurity, Return on Security Investment, Return on Attack, Economics, InfoSec, Budget Constraints, Constrained Optimization, Investment Models, Return on Investment, Net Present Value, IRR
  • 4. Page 3 of 10 Gordon-Loeb Model In their seminal work, Gordon and Loeb, arguably the most recognized scholars with respect to information security investment analysis, or more accurately, information security economics, determine the optimal amount to invest in a security measure to mitigate a vulnerability. Their research shows that “for a given potential expected loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with mid-range vulnerabilities.” (Loeb, 2002) The model is predicated on the following assumptions: “A1. S(z,0)=0 for all of z - That is, if the information set is completely invulnerable then it will remain perfectly protected for any amount of information security investment, including a zero investment. A2. For all v, S(0,v)=v – That is, if there is no investment in information security, the probability of a security breach, conditioned on the realization of a threat, is the information set’s inherent vulnerability. A3. For all v ϵ (0,1) and all z, Sz(z,v0) < 0 and Szz(z,v) > 0, where Sz denotes the partial derivative with respect to z and Szz denotes the partial derivative of Sz with respect to z. That is, as the investment in security increases, the information is made more secure, but at a decreasing rate. A4. For all v ϵ (0,1), lim S9z,v)  0, as z  ∞ - so by investing sufficiently in security, the probability of a security breach, t times S(z,v) can be made arbitrarily close to zero. “ (Loeb, 2002) Therefore, to the extent that the above assumptions are accurate, the literature shows that the “expected net benefit is equal to the expected benefit minus the cost of investment reduction in expected loss due to security.” (Loeb, 2002) That is to say that a rational investor, should only invest up to the point where the marginal benefit equals the marginal cost. It further goes on to show that when vulnerabilities are factored in, the maximum or optimal amount that should be spent equals 37% of the expected loss that would be present should one not invest in the particular security measure, given “two broad classes of information security breach probability functions.” (Loeb, 2002) Finally, while the optimum level shown in the research should not exceed 37 percent, it needs to be noted that the Gordon-Loeb model predicates their findings upon the assumption that only two probability distributions exist. Given this, the model begs the question, of whether or not more than 2 probability distributions exist in nature, and therefore, do not efficiently model the level of security needed in the “wild.”
  • 5. Page 4 of 10 Furthermore, in order to draw their conclusions, Gordon and Loeb, assumed that fixed cost within Information Security equals zero. An assumption that invites criticism, considering that fixed costs can be defined as “expenses that remain (must be paid) unchanged as the volume of activity (productivity) changes. (Lanen, 2011) Sonnenreich Model In 2005, writing in the Journal of Research and Practice in Information Technology, Sonnenreich, Albanese and Stout, produced a model called the SecureMark system, or better known as, the Return on Security Investment (ROSI). In their research, the authors describe the model mathematically as follows: (Sonnerrich, 2006) ROSI = (Risk Exposure * Risk Mitigated) – Solution Cost Solution Cost As stated earlier, measuring expected return within Information Security, is difficult at best or glorified guesswork at worst. The ROSI model seeks to address this by replacing Expected Returns, within a classic Return on Investment (ROI) calculation with (Risk Exposure*Risk Mitigated) within ROSI. To quantify risk exposure, the model looks at “Annual Loss Exposure (ALE) which multiplies the projected cost of a security incident (Single Loss Exposure – SLE) with its estimated annual rate of occurrence (ARO).” (Sonnerrich, 2006) 𝑅𝑖𝑠𝑘 𝐸𝑥𝑝𝑜𝑠𝑢𝑟𝑒 = 𝐴𝐿𝐸 = 𝑆𝐿𝐸 ∗ 𝐴𝑅𝑂 Measuring risk exposure, while relatively simple in mathematical terms, becomes extremely difficult in practice. The reasons for this are many. However, differing accounting methods, varying measurements of data loss within different industries and miscalculations of data such as downtime and opportunity costs give examples of a few. Ideally, actuarial data should be used to measure risk exposure. Unfortunately, with respect to Information Security, this data is in its early stages and does not have a lot of voracity behind it. Quantifying risk mitigated is no less precarious than measuring risk exposure above. As stated earlier, Information Security is at its best when nothing occurs. As such, how do you measure a loss that is prevented? For example, “a company’s intrusion detection systemmight show that there were 10 successful break-ins last year, but only five this year. Was it due to the new
  • 6. Page 5 of 10 security device the company bought, or was it because five less hackers attacked the network?” (Sonnerrich, 2006) As we have seen, while the model attempts to quantify an investment in Information Security’s return on income, differing organizational corporate structures pose problems in standardizing, or arriving at a consensus, with respect to the models outcomes. Moreover, should an organization make investments in security over a given time frame, the ROSI model ignores the time value of money, while also disregarding opportunity cost and real options. All three of which can impact a bottom line. Cremonini and Martini Model As a derivative of Return on Investment (ROI), the Cremonini Model, argues that while ROI allows a prospective manager to assess whether or not a particular investment will yield a positive return. Return on investment, as a criteria alone, does not allow one to accurately compare two mutually exclusive projects both yielding a positive ROI. In part, this is due because ROI fails to measure the “disadvantages that differing security measures provide to the attackers.” That is, that ROI alone, cannot capture the efficacy of the two security measures being compared. (Martini, 2005) To address this, and attempt to seize upon a security measures efficacy, Cremonini and Martini, introduced Return on Attack (ROA). The ROA is an “index which reflects the average and supposed impact of a security solution on an attacker’s behavior.” The goal of which is to improve upon the commonly used ROI measure, by identifying (through ROA) the security measure that most discourages the attacker from initiating an attack. (Martini, 2005) Return on Attack is then, further mathematically stated and represented as follows: (where S= security measure.) (Martini, 2005) 𝑅𝑂𝐴 = 𝑔𝑎𝑖𝑛 𝑓𝑟𝑜𝑚 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑓𝑢𝑙 𝑎𝑡𝑡𝑎𝑐𝑘 𝑐𝑜𝑠𝑡 𝑏𝑒𝑓𝑜𝑟𝑒 𝑆 + 𝑙𝑜𝑠𝑠 𝑐𝑎𝑢𝑠𝑒𝑑 𝑏𝑦 𝑆 An additional benefit of ROA, as noted in the literature, is its ability to quantify “modifications in the environment”. That is to say, how the initial ROI calculation, given a particular security solution, at time T, changes with respect to modifications in the environment at time T1. It can be shown that the ROI, of a given investment, changes with the passage of time and environmental alterations. However, ROI as a metric alone, cannot capture these changes and assumes a constant relationship. (Martini, 2005)
  • 7. Page 6 of 10 Therefore, an investments value to the organization can change over time, to the point that it is no longer an attractive proposition. Moreover, traditional financial models fail to realize these iterations, leading to miscalculations when deciding on a projects investment. Although despite the above referenced value-added gains, ROA as a metric, does have drawbacks. Those include a lack of consideration for investments over time, with respect to the output of Return on Investment. That is, where ROA may capture depreciation in the efficacy of a security measure over time, there is no consideration given to an investment approach that occurs over time. Such that the time value of money is recognized. Additionally, as with other models, no mention of budget constraints are given. It is therefore reasoned that the model assumes an un-constrained budget. At best, an impractical assumption given a typical organization. Bojanc-Blazic and Tekavcic Model The Bojanc-Blazic and Tekavcic Model was found in two differing journals, both of which were published in November of 2012. The outputs are measured in Return on Investment (ROI), Net Present Value (NPV) and Internal Rate of Return (IRR). All of which should be easily understood by the business manager, accelerating the project investment decision time. While focusing on the quantification of security risks, the model also seeks “to find an optimal level and selection of the security technology investment.” (Bojanc J.-B. , 2012) With considerable more inputs, the model is intended to serve as a procedure, a “guideline” leading the organization from initial input to the final recommendation. It begins by attempting to quantify the risk assessment, where the goal is to “determine and evaluate every vulnerability as based on business processes, supported by information assets.” (Bojanc J.-B. , 2012) The risk assessment is defined as follows, where the model attempts to quantify the complex relationships between risk, vulnerabilities, threats and security measures for every information asset that is a part of the defined business process listed above. (Bojanc J.-B. T., 2012, pp. 1031- 1052) 𝑅 = 𝑇 · 𝑣𝛼𝑝𝐶𝑝 + 1[𝐿1 · 𝑡𝑟0 · 𝑒 − 𝛼𝑐𝐶𝑐 + 𝐿2 · 𝑡𝑑0 · 𝑒 − 𝛼𝑑𝐶𝑑 + 𝐿3 − 𝐼] Next the Bojanc, Blazic and Tekavcic Model seeks to determine the optimal amount that should be invested by an organization to secure the organization’s information assets. In doing so, it attempts to combine the uncertainty surrounding the organizations threats, vulnerabilities, the consequences of an attack and the efficiency measures currently in place. The objective is to invest in information security up to the point where the marginal benefit equals the marginal cost. That is to say, where the benefit of an additional unit of security equals the cost an additional unit of security. (Bojanc J.-B. T., 2012)
  • 8. Page 7 of 10 The model attempts to conduct a cost/benefit analysis. However, as mentioned in the previous models, while the costs can be fairly straightforward to calculate. The organizational benefits, on the other hand, can prove to be rather difficult. The benefits gained due to the investment are nonetheless quantified as follows: (Bojanc J.-B. T., 2012) B = R0 − R(C)− δ + μ Where R0 is the security risk prior to a security measure, R(C) is the risk valued after the security measure is implemented, δ measures the negative consequences that are brought about by conducting the security measure. That is, for example, a loss of some user functionality, downtime or loss of productivity in general. Finally, μ measures the indirect positive effect of a security measure. (Bojanc J.-B. T., 2012) To close, the model addresses the economic value produced by the investment in the particular security measure. As mentioned prior in this section, the Bojanc, Blazic and Tekavcic model allows for comparison between three traditional business metrics utilized when assessing the voracity of an investment. Those are Net Present Value (NPV), Return on Investment (ROI) and Internal Rate of Return (IRR). When evaluating mutually exclusive projects, it is advised in the literature, to base your determination on the organizational scenario while evaluating all three. This is due in part, because the different metrics can point to different optimal solutions. For example, if a manager was attempting to determine the value of an investment over time, then NPV would be the recommended criteria, as it factors in the time value of money. (Bojanc J.-B. T., 2012) The choice should be the investment that produces the highest NPV, ROI and IRR. However, frequently, the three economic metrics will produce three different criteria. That is to say, in any particular analysis, ROI may point to one investment, while NPV and IRR point to others. In these cases, the literature addresses the reader to conduct a comparative analysis. The analytical formula for conducting a comparative analysis within ROI is as follows: (The formulas for NPV and IRR are similar) (Bojanc J.-B. , 2012) 𝑅𝑂𝐼 = 𝑇 · 𝑣(1 − 𝑣𝛼𝑝𝐶𝑝)· 𝐿 − 𝛿 + 𝜇 − 𝐶𝑝 𝐶𝑝 (Summary of findings on next page)
  • 9. Page 8 of 10 Summary of Findings Evaluation Criteria Gordon- Loeb Sonnenreich Cremonini Bojanic Costs: - Fixed x ✔ ✔ ✔ - Variable ✔ ✔ ✔ ✔ - Opportunity x x x x - Sunk x ✔ x x - Recurring x x x x - Non-Recurring ✔ ✔ ✔ ✔ Benefits: - Financial ✔ ✔ ✔ ✔ - Non-Financial x x x ✔ Inputs: - Quantitative ✔ ✔ ✔ ✔ - Qualitative x x x ✔ Outputs: - Quantitative ✔ ✔ ✔ ✔ - Qualitative x x x x Budget Type - Constrained x x x x - Unconstrained ✔ ✔ ✔ ✔ Investment Approach - One time Invest. ✔ ✔ ✔ ✔ - Split Invest x x x ✔ Conclusions In conclusion, my research conducted a systematic review of the literature to address the question of appropriate financial analysis utilized by business managers when considering investing in Information Security. While not exhaustive, it shows that there is yet to be a consensus in academia upon a standardized methodology to make investment related decisions with respect to Information Security.
  • 10. Page 9 of 10 The function of security to mitigate loss exposure, as well as, the difficulty in accurately assessing the probabilities of loss, lead to the break-down of traditional financial formulas utilized in business investment decision-making. My research shows four models that can begin to address the needs of the business manager. While the research was not exhaustive, limited in part, by search constraints and scope, the evaluation criteria was decided upon to give a broad sense of current models proposed in the available literature. Additionally, each model certainly contains its own weaknesses. For example, some models take into consideration an attackers point of view, while others look only at a static or one-time investment. However, I was unable to find any information that precludes a decision-maker from extracting parts of one model to include in others. That is to say, that if a business manager is needing to invest over time, NPV may be an appropriate measure. However, he may also wish to add to that ROA to better refine his decision making. Future research, into the topic, is to include an expansion of this beginning body of evidence, while seeking to understand the impact of other domains, such as Game Theory, to better understand how Return on Attack or ROA may help future InfoSec managers investment analysis.
  • 11. Page 10 of 10 References Bashroush,S.a. (2016). EconomicEvaluationforInformationSecurityInvestment:A systematic literature review. Information SystemsFrontiers,1-24. Bojanc,J.-B.(2012). Quantitative Model forEconomicAnalysesof Information SecurityInvestmentinan Enterprise InformationSystem. Organizacija - Volume45, 12. Bojanc,J.-B.T. (2012). Managingthe InvestmentinInformationSecurityTechnologybyuse of a Quantitative Modeling. Information Processing and Management,21. Lanen, A.M. (2011). Fundamentalsof CostAccounting. McGraw Hill. Loeb,G. a. (2002). The Economicsof InformationSecurityInvestment. ACMTransactionson Information SystemSecurity,438-457. Martini,C. a. (2005). Evaluatinginformationsecurityinvestmentsfromattackers,perspective:The Returnon Attack(ROA). Proceedingsof thefourth workshop on theeconomicsof security. Pandey.(2015). "Contex,Content,Process"ApproachtoAlignInformationSecurityInvestmentsWith Overall Organizational Strategy. InternationalJournalof Security,Privacy and Trust Management,25-38. Sonnerrich,A.S.(2006). ReturnonSecurityInvestment - A Practical Quantitiative Model. Journalof Research and Practice in Information Technology,45-56.