Successfully reported this slideshow.
Article Title | Article Author Voice of Information Security ISSA The Global ISSA Journal | December 2006Return On SecurityInvestmentBy Vicente AceitunoThe main reason for investing in security measures is to avoid the cost of accidents, errorsand attacks. Direct costs of an incident may include lost revenues, damages and propertyloss, or direct economic loss.T he information security industry recognizes both the ne- cessity and the difficulty of carrying out a quantitative evaluation of ROSI, return on security investment.The main reason for investing in security measures is to avoid the Fewer Incidentscost of accidents, errors and attacks. Direct costs of an incidentmay include lost revenues, damages and property loss, or directeconomic loss. The total cost can be considered as the direct cost Usability Cost of theplus the cost of restoring the system to its original state before Protectionthe incident. Some incidents can cost information, fines, or evenhuman lives.The indirect cost of an incident may include damage to a compa-ny’s public image, loss of client and shareholder confidence, cash-flow problems, breaches of contract and other legal liabilities, Cost of thefailure to meet social and moral obligations, and other costs. ThreatMeasuring returnWhat do we know intuitively about the risk and cost of securitymeasures? First, the relationship between the factors that affectrisk – such as window of opportunity, value of the asset and its Window of Opportunityvalue to the attacker, combined assets, number of incidents and Value for the Attackertheir cost, etc. – is quite complex. We also know that when mea-sures are implemented to reduce risk, the ease of using and man- Figure 1 – Risk Factorsaging systems also decreases, generating an indirect cost of thesecurity measures. How do we go from this intuitive understanding to quantitative in- formation? There is some accumulated knowledge of the relation-The following figure shows the qualitative relationship between all ship between investment in security measures and their results. First,of these factors. The arrows indicate the factors that directly affect there is Mayfield’s paradox, according to which the costs of both uni-the cost of the threat, and the figure also shows how investment in versal access to a system and absolutely restricted access are infinite,security measures (Cost of the Protection) reduces the cost of the with more acceptable costs corresponding to the intermediate cases.threat. http://www.isaca.org/TemplateRedirect.cfm?template=/ContentManagement/ContentDis- In this article, we’ll refer to information security as “security.” play.cfmContentID=17181
Return On Security Investment | Vicente Aceituno ISSA Journal | December 2006 Cost 100 In general, and also from the point of view of return on investment, there are two types of security mea- sures: measures to reduce vulnerability and measures to reduce impact. • Preventive measures, as they are usually known, re- duce vulnerability to incidents, but barely reduce the impact of an incident when one occurs. These measures protect against a narrow range of threats. Some of these measures are firewalls, padlocks, and access control measures. One example of the narrow- ness of the protection range is the use of firewalls, which protect against access to unauthorized ports and addresses, but not against the spread of worms or spam. • Corrective measures reduce the impact of an incident0 % Accessibility when one occurs, but do very little to minimize vul- nerability. These measures protect against a broadFigure 2 – Mayfield’s Paradox range of threats. Examples include RAID disks, backup copies, and redundant communication links. One exampleAn empirical study was also done by CERT at Carnegie Mellon of the range of protection is the use of backups, which do notUniversity. The study states that the greater the expenditure on se- prevent incidents but do protect against information lossescurity measures, the smaller the effect of the measures on security. in the case of all types of physical and logical failures.This means that after a reasonable investment has been made in se- Profitability differs for these two types of measures, as the rest of thiscurity measures, doubling security spending will not make the sys- article will show.tem twice as secure.The study that is most easily found on the Internet on this subject Preventive or vulnerability reduction measurescites the formulas created during the implementation of an intrusion A reduction in vulnerability translates into a reduction in the numberdetection system (IDS) by a team from the University of Idaho. of incidents. Security measures that reduce vulnerability are there- R: losses fore profitable when they prevent incidents for a value that is higher E: prevented losses than the total cost of the measure during that investment period. T: total cost of security measures The following formula can be used: ROSI = CTprevented / TCP (R - E) + T = ALE CT = Cost of Threat = Number of Incidents * R - ALE = ROSI, therefore ROSI = E - T Per Incident Cost TCP = Total Cost of ProtectionThe problem with this formula is that E is merely an estimate, andeven more so if the measure involved is an IDS, which simply col- When ROSI 1, the security measure is profitable.lects information on intrusions – there is no cause-effect relationship Several approximations can be used to calculate the prevented cost.between detecting an intrusion and preventing an incident. Com- One takes the prevented cost into account as the cost of the threat inbining this type of estimate with a basis in mathematical formulas is a period of time before and after the implementation of the securitylike combining magic with physics. measure.What problems do we face in calculating return on investment of CTprevented = ( CTbefore – CTafter)security measures? The most important is the lack of concrete data,followed closely by a series of commonly accepted suppositions and Calculating the cost of the threat as the number of incidents multi-half-truths, such as that risk always decreases as investment increas- plied by the cost of each incident is an alternative with respect to thees, and that the return on the investment is positive for all levels of traditional calculation of the incident probability multiplied by theinvestment. incident cost, provided that the number of incidents in the invest- ment period is more than 1. To calculate a probability mathemati-Nobody invests in security measures to make money; they invest in cally, the number of favorable cases and the number of possible casesthem because they have no choice. Return on investment demon- must be known. Organizations rarely have information on possiblestrates that investing in security is profitable, insofar as it represents cases (though they do on “favorable” cases) of incidents. It is impos-selection of the best security measures with a given budget and de- sible to calculate the probability without this information. However,termination of whether the budget allocated to security is sufficient it is relatively simple to determine the number of incidents that occurto fulfill the business objectives. But return on investment does not within a period of time and their cost.show that companies make money off the investment. For a known probability to be predictive, it is also necessary to have a large enough number of cases, and conditions must also remain the same. Taking into account the complexity of the behavior of attack- http://www.cert.org/archive/pdf/00tr021.pdf ers and the organizations that use information systems, it would be http://www.cio.com/archive/021502/security.html foolish to assume that conditions will remain constant. Calculating
Return On Security Investment | Vicente Aceituno ISSA Journal | December 2006the cost of a threat using probability information is therefore unreli- What is important in the case of impact reduction measures is theable in real conditions. protection that you get for your money. The effectiveness of thisOne significant advantage of calculating the cost of a threat as the protection can be measured, for example depending on the recoveryproduct of the number of incidents and their unit cost is that this time after an incident. Depending on their effectiveness, there arecombines the cost of the incidents, the probability, and the total assets measures that range from backup copies (with some added cost) to(since the number of incidents partly depends on the quantity of the fully redundant systems (which cost more than double).total assets) into a single formula. To make a profitability calculation One interesting alternative to calculating the ROSI of a specific secu-like this requires real information on the incidents and their cost, rity measure is to measure the ROSI of a set of measures – includingand gathering this information generates an indirect cost of an orga- detection, prevention, and impact reduction – that protect an asset.nization’s security management. If this information is not available, In this case, the total cost of protection (TCP) is calculated as the sumthe cost of the threats will have to be estimated in order to calculate of the cost of all of the security measures, while the effort to obtainthe ROSI. However, the result will be of little value, as the estimate the information on the cost of the threats is practically identical.can be changed to generate any desired result.The profitability of a vulnerability reduction measure depends on Budget, cost, and selection of measuresthe environment. For example, a security measure will be more The security budget should be at most equal to the annual loss expec-profitable in an environment in which many incidents occur, than tancy (ALE) caused by attacks, errors and accidents in informationin an environment in which very few incidents occur. While using systems for a tax year. Otherwise, the measures are guaranteed nota personal firewall on a PC connected to the Internet 24 hours a day to be profitable. The graph below shows the expected losses as themay be profitable, using one on a private network not connected to area under the curve. To clarify the graph: It represents a companythe Internet would not be. Investing in a reinforced door would be with enormous expected losses, of almost 25 percent of the value ofprofitable in many regions of Colombia, but in certain rural areas of the company. In the case of an actual company, legibility of the graphCanada, this investment would be a waste of money. could be improved using logarithmic scales.Sample profitability calculation . Two laptops out of a total of 50 are stolen in a given year. Expected Loss ($) . The replacement cost of a laptop is €1800. Accounting . The following year, the company has 75 laptops. value of the . The laptops are protected with €60 locks. company 5. The following year only one laptop is stolen. ROSI = ( Rbefore – Rafter) / TCP (Vi = Value of information) ROSI = ((1800 + Vi) * 3 - ((1800 + Vi ) * 1 + 75 * 60)) / (75 * 60) Last year’s(The number of incidents is adjusted (from 2 to 3) for the in-crease in the number of targets.) lossesIf the information in the laptop was worth nothing (Vi = 0) thesecurity measure would not be profitable (ROSI 1). In thisexample, the €60 locks are profitable when a laptop costs more $ per yearthan €2700, or when, based on historical information, the theft of 5laptops can be expected for the year in question. 0Using this type of analysis, we could: Probability ( % / year ) 0 100 • Use locks only on laptops with valuable information. Probability of discontinuation • Calculate the maximum price of locks for all laptops (€24 of the company per year when Vi = 0). Figure 3 – Risk factorsCorrective or impact reduction measures An evaluation of the cost of a security measure must take into ac-Since impact reduction measures do not prevent incidents, the pre- count both the direct costs of the hardware, software and implemen-vious calculation cannot be applied. In the best-case scenario these tation; as well as the indirect costs, which could include control of themeasures are never used; whereas, when there are two incidents measure by evaluating incidents, ethical hacking (attack simulation),which could result in the destruction of the protected assets, the mea- audits, incident simulation, forensic analysis, and code audits.sures are apparently worth twice the value of the assets. Now then, Security measures are often chosen based on fear, uncertainty andwho would spend twice the value of an asset on security measures? doubt; or out of paranoia, to keep up with trends, or simply at ran-Profitability of corrective measures cannot be measured. These mea- dom. However, the calculation of the profitability of security mea-sures are like insurance policies; they put a limit on the maximum sures can help to select the best measures for a particular budget.loss suffered in the case of an incident. Part of the budget must be allocated to the protection of critical assets
Return On Security Investment | Vicente Aceituno ISSA Journal | December 2006using impact reduction measures; and part to the protection of all the assets using vulnerability reduction measures and incident and intrusiondetection measures.ConclusionsThe main conclusions that can be drawn from all this are as follows:• To guarantee maximum effectiveness of an investment, it is necessary, if possible when the supporting data is available, to calculate the return on the investment of vulnerability reduction measures.• In order to make real calculations, real information is needed regarding the cost of the incidents for a company or in comparable companies in the same sector.• Both incidents and security measures have indirect and direct costs that have to be taken into account when calculating profitability.About the AuthorVicente Aceituno, Ingeniero Técnico en Telecomunicaciones (Universidad Politécnica de Madrid), authored the ISM3 (Information Security Manage-ment Maturity Model, www.ism3.com); leads the FIST information security conferences in Spain (www.fistconference.org); has published his first bookSeguridad de la Información (ISBN: 84-933336-7-0); and maintains a Website at www.seguridaddelainformacion.com. He can be reached at email@example.com.ReferencesBerinato, Scott, “Finally, a Real Return on Security Spending.” CIO Magazine, February 15, 2002. http://www.cio.com/archive/021502/security.htmlMoitra, Soumyo D. and Suresh L. Konda, “The Survivability of Network Systems: An Empirical Analysis.” Carnegie Mellon, Software En-gineering Institute, Dec. 2000. http://www.cert.org/archive/pdf/00tr021.pdfUniversity of New Haven Center for Cybercrime and Forensic Computer Investigation and University of Southern California Department ofMathematics, “Mathematical Proofs of Mayfield’s Paradox: A Fundamental Principle of Information Security.” Information Systems ControlJournal, Vol. 2, 2001. http://www.isaca.org/TemplateRedirect.cfm?template=/ContentManagement/ContentDisplay.cfmContentID=17181