[from: www.camagazine.com/index.cfm?ci_id=14138&la_id=1]


Determining the ROI in IT security

How do you know how much is enough?

By Greg McLean and Jason Brown

Calculating the return on an investment is always a prudent move, especially in an uncertain economy. But how do you measure intangibles like information technology, where costs can run higher than vendors' promises? Yet, weighing the return against the investment is a vital part of securing the best value per dollar spent. Here we'll look at the ROI of IT security and present an ROI estimation model to help you answer the question: how much is enough?

Historically, ROI models have focused on the dollars to be saved on current operations and not included secondary benefits. An ROI estimation on security initiatives needs to consider both quantitative and qualitative factors. Quantitative ROI attempts to assign independent, objective numeric values (hard dollars) to the potential investment return and the assessment of potential losses to be prevented. Qualitative ROI, on the other hand, addresses more intangible values of data loss or an expected improvement in operating efficiencies.

In other words, network security should not be planned around providing a return on your investment dollar in terms of a payback in the administration of the process. It should be planned around providing a level of comfort to senior management that intruders are being kept out of the network, errors and omissions are being kept to an acceptable level of risk, and security will act as an enabler for electronic business, not an inhibitor.

When all elements are measured, rated, and assigned values, the process is considered to be fully quantitative. However, it must be stressed that an accurate quantitative ROI is not possible because qualitative measures must be applied to the process of the ROI calculation. It should be clear that just because the numbers look hard on paper does not mean it is possible to forecast an ROI with any certainty.

As mentioned earlier, the imputed benefits of an IT security investment need to be taken into consideration when determining a return on security expenditures. These benefits include:
• Speed to market on all new business initiatives, since the networks do not need to be redesigned to allow for a secure offering.
• Project development time is reduced as security is already built into the network.
• Reduction in the time for project/system development in the error detection and correction process for those that relate to security.  Network security is part of the core of the design. 
• Regression testing required to ensure security standards are kept to a minimum whenever new application development is being completed would be minimal.
• New projects just require application level security to be the primary focus.  Network security generally would not need to be considered for reconstruction with any of the new applications.
• New application initiatives generally can be treated as an add-on process to existing network architecture.
• E-comm initiatives are designed for maximum uptime, redundancy and along with being outsourced allows for flexibility.
• Audit standards are being met with regards to network security.
• Risk management can be more accurate in terms of the level of risk that is being realized and the actions required to mitigate the risks. This allows senior management to make a more factual decision on the actions that should be taken when deciding to either eliminate/reduce the risk versus accepting the risk.
• NOC would perform basic CIRT functions thus allowing certain incidents to be contained and acted upon.

Similarly, additional costs must also be considered when gauging the overall ROI on the security of the environment. These include:
• The initial setup and configuration of each of the platforms/appliances.
• Potential loss of the network during the initial setup and during ongoing maintenance.
• Obsolete or malfunctioning equipment replacement.
• Process re-engineering of certain functions within the company; creation of the new processes and related staff training.
• Audit assessments of the environment to ensure network is meeting the minimum security requirements.

The following ROI estimation model touches on the majority of the losses, costs to circumvent potential losses and the revenue potential that can be realized by implementing an improved hardened environment.  Its intent is to provide a guideline on the areas that should be considered when calculating an ROI on a security investment.  Each organization will differ according to its current environment of security tools and its reliance on the IT environment for doing business. 

To make the ROI estimation model more meaningful, the categories have been filled in by numbers representing a hypothetical retail/wholesale/manufacturing company. Let's say this company grosses $20 million in sales. These sales are either through traveling sales staff sending in orders via the Internet or customers placing orders directly. One-quarter of the orders are electronic sales orders from a single point of entry with redundancy and a single network environment (LAN). Office support applications already reside in a secure network environment. Equipment for the electronic sales environment is purchased, not leased.

Please note that estimates for the ROI calculation are presented on the conservative side so as to not overstate the return that could be realized.

1. Type of exposure Description Estimated loss in terms of $
A. Financial exposure (Qualitative)
Denial of Service/lack of redundancy (single point of failure) Access to services/products/information is denied. $13,500 for each day based on assumptions
Unauthorized insider use Employees accessing specific information without permission (i.e. Customer Service representative accessing HR data). N/A
Property theft – Information Customer lists, research and development data, marketing plans. N/A
Property theft – hardware Stolen laptop – cost to replace and/or recover. $5,000 per laptop
  Subtotal of A $18,500
B. Inefficient processes (quantitative)
Password resets The cost of having the Help Desk or IT personnel reset user password resulting in lost productivity (This is calculated as the average cost multiplied by the estimated number of resets completed each year). $5,000.001
Profile setup/change Manual creation of user credentials each time an employee is acquired or terminated, or each time an employee changes position (time required multiplied by number of incidents). $30,0002
Inefficient skill allocation Errors caused by insufficiently trained or experienced staff (cost of correcting error multiplied by number of incidents). N/A
Loss due to lease Penalties on hardware Based on details in lease agreement. N/A - Our example assumes a full purchase
  Subtotal of B $35,000
C. Intangible cost (quantitative)
Loss to public image Loss of confidence from public/clients due to publicized security breach. $67,5003
Denial to network resources Loss of productive hours multiplied by number of employees affected. $13,5004
  Subtotal of C $81,000
Total security exposure cost
  Total of A, B, C $134,500

1 Estimate of $50 per reset and an approximation of 10% of workforce that request password resets.
2 Estimate of $100 per setup/change/deletion with a staff change rate of 30% of workforce where 30% either hired, leave or change functions within the organization.
3 We have assumed five days of lost sales due to lost confidence by clients that their charge card information and/or privacy information is secure.
4 We have assumed an accumulated total of one business day for the year due to a loss of access to critical files for business.


Investment - setup
1. Type of investment Description Estimated cost
NOTE: Some of these investment costs may not be required to be incurred as they may currently exist within your organization.
Firewall Cost of the firewalls required to purchase/upgrade to protect network from unauthorized access. $5,000
Intrusion detection Cost of an Intrusion Detection System (or monitoring service) to detect attempts to access network without permission and the cost to react to detected intrusions. $10,000
Anti-virus The cost of the software licensing to protect network resources against viruses, trojan horses, worms, etc. N/A
Policy/Procedure The cost to create, maintain and educate company personnel on the written rules outlining the requirements that should be followed for Information Security. $50,000
Content filtering The cost of the software to identify and block inappropriate content from web and email. $6,000
Re-engineering of security administration processes The cost to re-engineer the current process of security administration to ensure "users" only have access authorities required to complete their job. $50,000
  Total setup investment requirement $121,000
Investment - maintenance
2. Ongoing maintenance Description Estimated cost
Firewall In-house management plus yearly maintenance $1,000
Site IDS sensor In-house management plus yearly maintenance $1,000
Content filter 1,000 seats (as per assumption of number of employees) $8,000
Content filter server In-house management plus yearly maintenance $1,000
Secured mail gateway In-house management plus yearly maintenance $2,000
Anti-virus 1,000 seats (as per assumption of number of employees) $20,000
Carrier network management Servers managed by in-house staff but monitored by carrier NOC $40,000
Diverse network access Multi tier network traffic based pricing with local loop and 1st traffic tier included $20,000
Managed redundant firewalls Carrier NOC performs monitoring and management; customer owns equipment $15,000
E-comm Servers In-house management plus yearly maintenance $3,000
Managed IDS Sensor Carrier NOC performs monitoring and management; customer owns equipment $25,000
  Total maintenance costs $136,000
Estimated return/Recapture of exposure
Elimination of Security Investment - Total of Section 2 minus Section 1. As this is an estimate only of both qualitative and quantitative capital expenditures the estimate for any potential return (on lost revenue, increased productivity, etc) should be calculated over a three-year period. It should be noted, however, that costs be may be recovered in less than three years, resulting in potential ROI to be realized sooner.
1st year cost Cost estimate incurred in the first year $176,300
2nd year cost Cost estimate incurred in the second year $176,300
3rd year cost Cost estimate incurred in the third year $176,300
The potential recapture of lost revenue/productivity that is realized on an annual basis with the increased/hardened security after the costs of upgrading the security has been realized as an expense.
  ROI/per year <$41,800>

Using the costs and returns outlined in the ROI calculation generally will not provide a return unless the current costs/losses are high.

In addition, an ROI calculation model should not be viewed as a one-time assessment or recovery of lost revenue/productivity.  IT security should be an ongoing process.

ROI with regard to IT security has historically focused on returning actual payback where introducing certain tools or devices will reduce your operating costs. This is quite often not the case. Since security acts as insurance for your data and/or client/customer information, any return provided by required security should focus on this.

ROI models also have focused on a point in time dollar expenditure but holistic security models are not point in time models.  Expenditure requirements will change within a short time period for any company and equipment has become cheaper over time.  Security expenditure needs to include additional derived benefits that will be provided with having the appropriate levels of controls.

Greg McLean, CISA, CISSP, FCSI, ABCP (greg.mclean@cgi.com), is an executive consultant with CGI in Toronto. Jason Brown, CCNA, MCSE, is also a consultant with CGI.