Information Security Research Paper: Traditional financial models utilized commonly in business today, such as Net Present Value (NPV), Internal Rate of Return (IRR) and Return on Investment (ROI) tend to break down, and become less effective, when it comes to Information Security.
This is due, in part, to the function of security, as well as, difficulties quantifying expected loss (cost) and a lack of positive cash flows. To address this, I reviewed the current literature and present several models to help further the Information Security Manager. (Part of Ongoing Research)
2. Page 1 of 10
Abstract
This research conducts a systematic review of the literature to address the pressing need of
Information Security Managers to create a persuasive business case when evaluating
investments within Information Security. To date, there is yet to be a consensus within
academia, and practioners, on a “best practice” model or standard.
As such, business managers find themselves relying upon traditional financial models that fail to
translate to Information Security due, in part, to the function of security and the difficulty in
assessing the probabilities of expected loss.
Given this, when considering investing within Information Security, managers may over or
under invest leading to wastefulness of corporate resources and potentially a drop in share
price. To address this, we reviewed the literature to show four models that may help to serve
the needs of the investing executive within the firm.
Introduction
Research is abundant, with respect to Information Security, when it comes to technology (ie;
encryption, access controls, etc). However, the same cannot be said about the financial or
economic value of investments within Information Security in organizations. Although the
literature is increasing, traditional financial models utilized by business managers to make
investment decisions, such as Net Present Value or IRR, break down or do not easily translate
when applied to Information Security. (Bashroush, 2016)
In a general sense, managers look at the present value of future cash flows to determine if an
investment brings value to the organization and shareholders. However, investment decisions
within Information Security rarely, if ever, provide positive cash flows, resulting in a negative
NPV or a grotesque hurdle rate (IRR).
Indeed, the lack of a tangible return on investment, is due to the function of Information
Security. That is, investments in security aim to reduce or mitigate the risk of an expected loss
(costs) to valuable information within an organization. Security is at its best, when nothing
happens. Therefore, the more successful an Information Security strategy behaves, the more
difficult it is to measure the tangible benefits. (Bashroush, 2016)
Moreover, most currently available models addressing investment decisions, rely heavily on
qualitative data, or expert opinion, within an ordinal scale to subjectively discern the expected
loss of an attack, and the uncertainty or probability of one occurring. Such methods, open the
door to cognitive bias and therefore, inevitably distort the intended findings.
3. Page 2 of 10
The result, is a lack of understanding by most decision-makers, when it comes to adequate
Information Security, leading to over or under investment within the organization. Needlessly
wasting constrained, scarce resources, which could result in a reduced share price.
To address this issue, a survey of the available literature was conducted with the intent to
provide guidance to both business managers and Information Security practitioners alike, by
offering an overview of the latest research. While certainly not exhaustive, the following
financial models attempt to provide a framework with which business managers can augment
qualitative data with quantitative data to improve upon the decision-making process.
Research Method
While pursuing the objectives of this study, a systematic review of the given literature was
initiated through Google Scholar, EBSCO Host, Proquest, Elsevier, Science Direct, Springer and
IEEE Xplore. The chosen keywords were as follows:
Filtering of the results was then applied. I restricted the results of the research from 2000 to
2016.The following evaluation criteria was then considered.
Benefits: Costs: (con’t) Output: (con’t)
- Financial - Opportunity - Quantitative
- Non-Financial - Sunk Budget Type:
Costs: Input: - Constrained
- Recurring - Qualitative - Unconstrained
- Non-Recurring - Quantitative Investment Approach:
- Variable Output: - One Time Investment
- Fixed - Qualitative - Split Investment
Research Findings
While the topic of investment strategies within Information Security has gained increasing
attention within the last several years, there is yet to be an agreed upon consensus concerning
which method is best. Therefore, based on the literature, we look at several different
quantitative models currently available. Those models include: Gordon-Loeb Model,
Sonnerreich Model, Cremonini Model and the Bojanc, Blazic and Tekavcic Model.
Keywords: Information Security, Investment, Framework, Cybersecurity, Return on Security
Investment, Return on Attack, Economics, InfoSec, Budget Constraints, Constrained
Optimization, Investment Models, Return on Investment, Net Present Value, IRR
4. Page 3 of 10
Gordon-Loeb Model
In their seminal work, Gordon and Loeb, arguably the most recognized scholars with respect to
information security investment analysis, or more accurately, information security economics,
determine the optimal amount to invest in a security measure to mitigate a vulnerability.
Their research shows that “for a given potential expected loss, a firm should not necessarily
focus its investments on information sets with the highest vulnerability. Since extremely
vulnerable information sets may be inordinately expensive to protect, a firm may be better off
concentrating its efforts on information sets with mid-range vulnerabilities.” (Loeb, 2002)
The model is predicated on the following assumptions:
“A1. S(z,0)=0 for all of z - That is, if the information set is completely invulnerable then it will
remain perfectly protected for any amount of information security investment, including a zero
investment.
A2. For all v, S(0,v)=v – That is, if there is no investment in information security, the probability
of a security breach, conditioned on the realization of a threat, is the information set’s inherent
vulnerability.
A3. For all v ϵ (0,1) and all z, Sz(z,v0) < 0 and Szz(z,v) > 0, where Sz denotes the partial derivative
with respect to z and Szz denotes the partial derivative of Sz with respect to z. That is, as the
investment in security increases, the information is made more secure, but at a decreasing rate.
A4. For all v ϵ (0,1), lim S9z,v) 0, as z ∞ - so by investing sufficiently in security, the
probability of a security breach, t times S(z,v) can be made arbitrarily close to zero. “ (Loeb,
2002)
Therefore, to the extent that the above assumptions are accurate, the literature shows that the
“expected net benefit is equal to the expected benefit minus the cost of investment reduction
in expected loss due to security.” (Loeb, 2002) That is to say that a rational investor, should only
invest up to the point where the marginal benefit equals the marginal cost.
It further goes on to show that when vulnerabilities are factored in, the maximum or optimal
amount that should be spent equals 37% of the expected loss that would be present should one
not invest in the particular security measure, given “two broad classes of information security
breach probability functions.” (Loeb, 2002)
Finally, while the optimum level shown in the research should not exceed 37 percent, it needs
to be noted that the Gordon-Loeb model predicates their findings upon the assumption that
only two probability distributions exist. Given this, the model begs the question, of whether or
not more than 2 probability distributions exist in nature, and therefore, do not efficiently model
the level of security needed in the “wild.”
5. Page 4 of 10
Furthermore, in order to draw their conclusions, Gordon and Loeb, assumed that fixed cost
within Information Security equals zero. An assumption that invites criticism, considering that
fixed costs can be defined as “expenses that remain (must be paid) unchanged as the volume of
activity (productivity) changes. (Lanen, 2011)
Sonnenreich Model
In 2005, writing in the Journal of Research and Practice in Information Technology,
Sonnenreich, Albanese and Stout, produced a model called the SecureMark system, or better
known as, the Return on Security Investment (ROSI). In their research, the authors describe the
model mathematically as follows: (Sonnerrich, 2006)
ROSI = (Risk Exposure * Risk Mitigated) – Solution Cost
Solution Cost
As stated earlier, measuring expected return within Information Security, is difficult at best or
glorified guesswork at worst. The ROSI model seeks to address this by replacing Expected
Returns, within a classic Return on Investment (ROI) calculation with (Risk Exposure*Risk
Mitigated) within ROSI. To quantify risk exposure, the model looks at “Annual Loss Exposure
(ALE) which multiplies the projected cost of a security incident (Single Loss Exposure – SLE) with
its estimated annual rate of occurrence (ARO).” (Sonnerrich, 2006)
𝑅𝑖𝑠𝑘 𝐸𝑥𝑝𝑜𝑠𝑢𝑟𝑒 = 𝐴𝐿𝐸 = 𝑆𝐿𝐸 ∗ 𝐴𝑅𝑂
Measuring risk exposure, while relatively simple in mathematical terms, becomes extremely
difficult in practice. The reasons for this are many. However, differing accounting methods,
varying measurements of data loss within different industries and miscalculations of data such
as downtime and opportunity costs give examples of a few. Ideally, actuarial data should be
used to measure risk exposure. Unfortunately, with respect to Information Security, this data is
in its early stages and does not have a lot of voracity behind it.
Quantifying risk mitigated is no less precarious than measuring risk exposure above. As stated
earlier, Information Security is at its best when nothing occurs. As such, how do you measure a
loss that is prevented? For example, “a company’s intrusion detection systemmight show that
there were 10 successful break-ins last year, but only five this year. Was it due to the new
6. Page 5 of 10
security device the company bought, or was it because five less hackers attacked the network?”
(Sonnerrich, 2006)
As we have seen, while the model attempts to quantify an investment in Information Security’s
return on income, differing organizational corporate structures pose problems in standardizing,
or arriving at a consensus, with respect to the models outcomes. Moreover, should an
organization make investments in security over a given time frame, the ROSI model ignores the
time value of money, while also disregarding opportunity cost and real options. All three of
which can impact a bottom line.
Cremonini and Martini Model
As a derivative of Return on Investment (ROI), the Cremonini Model, argues that while ROI
allows a prospective manager to assess whether or not a particular investment will yield a
positive return. Return on investment, as a criteria alone, does not allow one to accurately
compare two mutually exclusive projects both yielding a positive ROI. In part, this is due
because ROI fails to measure the “disadvantages that differing security measures provide to the
attackers.” That is, that ROI alone, cannot capture the efficacy of the two security measures
being compared. (Martini, 2005)
To address this, and attempt to seize upon a security measures efficacy, Cremonini and Martini,
introduced Return on Attack (ROA). The ROA is an “index which reflects the average and
supposed impact of a security solution on an attacker’s behavior.” The goal of which is to
improve upon the commonly used ROI measure, by identifying (through ROA) the security
measure that most discourages the attacker from initiating an attack. (Martini, 2005)
Return on Attack is then, further mathematically stated and represented as follows: (where S=
security measure.) (Martini, 2005)
𝑅𝑂𝐴 = 𝑔𝑎𝑖𝑛 𝑓𝑟𝑜𝑚 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑓𝑢𝑙 𝑎𝑡𝑡𝑎𝑐𝑘
𝑐𝑜𝑠𝑡 𝑏𝑒𝑓𝑜𝑟𝑒 𝑆 + 𝑙𝑜𝑠𝑠 𝑐𝑎𝑢𝑠𝑒𝑑 𝑏𝑦 𝑆
An additional benefit of ROA, as noted in the literature, is its ability to quantify “modifications
in the environment”. That is to say, how the initial ROI calculation, given a particular security
solution, at time T, changes with respect to modifications in the environment at time T1. It can
be shown that the ROI, of a given investment, changes with the passage of time and
environmental alterations. However, ROI as a metric alone, cannot capture these changes and
assumes a constant relationship. (Martini, 2005)
7. Page 6 of 10
Therefore, an investments value to the organization can change over time, to the point that it is
no longer an attractive proposition. Moreover, traditional financial models fail to realize these
iterations, leading to miscalculations when deciding on a projects investment. Although despite
the above referenced value-added gains, ROA as a metric, does have drawbacks.
Those include a lack of consideration for investments over time, with respect to the output of
Return on Investment. That is, where ROA may capture depreciation in the efficacy of a security
measure over time, there is no consideration given to an investment approach that occurs over
time. Such that the time value of money is recognized. Additionally, as with other models, no
mention of budget constraints are given. It is therefore reasoned that the model assumes an
un-constrained budget. At best, an impractical assumption given a typical organization.
Bojanc-Blazic and Tekavcic Model
The Bojanc-Blazic and Tekavcic Model was found in two differing journals, both of which were
published in November of 2012. The outputs are measured in Return on Investment (ROI), Net
Present Value (NPV) and Internal Rate of Return (IRR). All of which should be easily understood
by the business manager, accelerating the project investment decision time. While focusing on
the quantification of security risks, the model also seeks “to find an optimal level and selection
of the security technology investment.” (Bojanc J.-B. , 2012)
With considerable more inputs, the model is intended to serve as a procedure, a “guideline”
leading the organization from initial input to the final recommendation. It begins by attempting
to quantify the risk assessment, where the goal is to “determine and evaluate every
vulnerability as based on business processes, supported by information assets.” (Bojanc J.-B. ,
2012)
The risk assessment is defined as follows, where the model attempts to quantify the complex
relationships between risk, vulnerabilities, threats and security measures for every information
asset that is a part of the defined business process listed above. (Bojanc J.-B. T., 2012, pp. 1031-
1052)
𝑅 = 𝑇 · 𝑣𝛼𝑝𝐶𝑝 + 1[𝐿1 · 𝑡𝑟0 · 𝑒 − 𝛼𝑐𝐶𝑐 + 𝐿2 · 𝑡𝑑0 · 𝑒 − 𝛼𝑑𝐶𝑑 + 𝐿3 − 𝐼]
Next the Bojanc, Blazic and Tekavcic Model seeks to determine the optimal amount that should
be invested by an organization to secure the organization’s information assets. In doing so, it
attempts to combine the uncertainty surrounding the organizations threats, vulnerabilities, the
consequences of an attack and the efficiency measures currently in place. The objective is to
invest in information security up to the point where the marginal benefit equals the marginal
cost. That is to say, where the benefit of an additional unit of security equals the cost an
additional unit of security. (Bojanc J.-B. T., 2012)
8. Page 7 of 10
The model attempts to conduct a cost/benefit analysis. However, as mentioned in the previous
models, while the costs can be fairly straightforward to calculate. The organizational benefits,
on the other hand, can prove to be rather difficult. The benefits gained due to the investment
are nonetheless quantified as follows: (Bojanc J.-B. T., 2012)
B = R0 − R(C)− δ + μ
Where R0 is the security risk prior to a security measure, R(C) is the risk valued after the
security measure is implemented, δ measures the negative consequences that are brought
about by conducting the security measure. That is, for example, a loss of some user
functionality, downtime or loss of productivity in general. Finally, μ measures the indirect
positive effect of a security measure. (Bojanc J.-B. T., 2012)
To close, the model addresses the economic value produced by the investment in the particular
security measure. As mentioned prior in this section, the Bojanc, Blazic and Tekavcic model
allows for comparison between three traditional business metrics utilized when assessing the
voracity of an investment. Those are Net Present Value (NPV), Return on Investment (ROI) and
Internal Rate of Return (IRR).
When evaluating mutually exclusive projects, it is advised in the literature, to base your
determination on the organizational scenario while evaluating all three. This is due in part,
because the different metrics can point to different optimal solutions. For example, if a
manager was attempting to determine the value of an investment over time, then NPV would
be the recommended criteria, as it factors in the time value of money. (Bojanc J.-B. T., 2012)
The choice should be the investment that produces the highest NPV, ROI and IRR. However,
frequently, the three economic metrics will produce three different criteria. That is to say, in
any particular analysis, ROI may point to one investment, while NPV and IRR point to others. In
these cases, the literature addresses the reader to conduct a comparative analysis. The
analytical formula for conducting a comparative analysis within ROI is as follows: (The formulas
for NPV and IRR are similar) (Bojanc J.-B. , 2012)
𝑅𝑂𝐼 = 𝑇 · 𝑣(1 − 𝑣𝛼𝑝𝐶𝑝)· 𝐿 − 𝛿 + 𝜇 − 𝐶𝑝
𝐶𝑝
(Summary of findings on next page)
9. Page 8 of 10
Summary of Findings
Evaluation Criteria Gordon-
Loeb
Sonnenreich Cremonini Bojanic
Costs:
- Fixed x ✔ ✔ ✔
- Variable ✔ ✔ ✔ ✔
- Opportunity x x x x
- Sunk x ✔ x x
- Recurring x x x x
- Non-Recurring ✔ ✔ ✔ ✔
Benefits:
- Financial ✔ ✔ ✔ ✔
- Non-Financial x x x ✔
Inputs:
- Quantitative ✔ ✔ ✔ ✔
- Qualitative x x x ✔
Outputs:
- Quantitative ✔ ✔ ✔ ✔
- Qualitative x x x x
Budget Type
- Constrained x x x x
- Unconstrained ✔ ✔ ✔ ✔
Investment Approach
- One time Invest. ✔ ✔ ✔ ✔
- Split Invest x x x ✔
Conclusions
In conclusion, my research conducted a systematic review of the literature to address the
question of appropriate financial analysis utilized by business managers when considering
investing in Information Security. While not exhaustive, it shows that there is yet to be a
consensus in academia upon a standardized methodology to make investment related decisions
with respect to Information Security.
10. Page 9 of 10
The function of security to mitigate loss exposure, as well as, the difficulty in accurately
assessing the probabilities of loss, lead to the break-down of traditional financial formulas
utilized in business investment decision-making. My research shows four models that can begin
to address the needs of the business manager.
While the research was not exhaustive, limited in part, by search constraints and scope, the
evaluation criteria was decided upon to give a broad sense of current models proposed in the
available literature. Additionally, each model certainly contains its own weaknesses. For
example, some models take into consideration an attackers point of view, while others look
only at a static or one-time investment.
However, I was unable to find any information that precludes a decision-maker from extracting
parts of one model to include in others. That is to say, that if a business manager is needing to
invest over time, NPV may be an appropriate measure. However, he may also wish to add to
that ROA to better refine his decision making.
Future research, into the topic, is to include an expansion of this beginning body of evidence,
while seeking to understand the impact of other domains, such as Game Theory, to better
understand how Return on Attack or ROA may help future InfoSec managers investment
analysis.
11. Page 10 of 10
References
Bashroush,S.a. (2016). EconomicEvaluationforInformationSecurityInvestment:A systematic
literature review. Information SystemsFrontiers,1-24.
Bojanc,J.-B.(2012). Quantitative Model forEconomicAnalysesof Information SecurityInvestmentinan
Enterprise InformationSystem. Organizacija - Volume45, 12.
Bojanc,J.-B.T. (2012). Managingthe InvestmentinInformationSecurityTechnologybyuse of a
Quantitative Modeling. Information Processing and Management,21.
Lanen, A.M. (2011). Fundamentalsof CostAccounting. McGraw Hill.
Loeb,G. a. (2002). The Economicsof InformationSecurityInvestment. ACMTransactionson Information
SystemSecurity,438-457.
Martini,C. a. (2005). Evaluatinginformationsecurityinvestmentsfromattackers,perspective:The
Returnon Attack(ROA). Proceedingsof thefourth workshop on theeconomicsof security.
Pandey.(2015). "Contex,Content,Process"ApproachtoAlignInformationSecurityInvestmentsWith
Overall Organizational Strategy. InternationalJournalof Security,Privacy and Trust
Management,25-38.
Sonnerrich,A.S.(2006). ReturnonSecurityInvestment - A Practical Quantitiative Model. Journalof
Research and Practice in Information Technology,45-56.