Information-security managers must grasp the economics of security to protect their companies
As any victim of a significant cyberattack will tell you, there's a financial dimension to these crimes. Even for nonvictims, there's an obvious financial hit a company takes in implementing security measures to prevent losses. Those firewalls cost money and so do the salaries of the security professionals who manage them.
Unfortunately, relatively little attention has been paid to the economics of information security. There's occasional discussion of exorbitant losses in the more spectacular cases, but what about the indirect costs and negative impact on companies' reputations?
Information-security managers trying to defend budget requests have sometimes talked about return on investment, but only with mixed results. After all, what exactly is the ROI of a firewall? In a similar vein, you don't usually hear information-security managers talk about capital-budgeting techniques, like the net present value or internal rate of return, as applied to investments in infrastructure assets for information security.
However, CFOs certainly do regularly use capital-budgeting techniques, and non-information-security managers of other departments usually compete for funds based on them. Since information-security managers are up against those other managers for their fair share of the budget, it behooves them to catch up with their peers who already talk the talk of contemporary capital budgeting. Well, economists have recently turned their attention toward cybercrime, and now information-security managers are starting to borrow a few tools of the trade.
INDIRECT COSTS COUNT
is the average annual cost of proprietary information theft
is how high the indirect costs associated with a theft can rise for a company of typical size, with a market cap of $500 million
Data: 2003 CSI/FBI survey
Aside from tussles over budgets, security managers who hope to make optimal decisions about security strategy may find that economic-modeling techniques lead them to better decisions, even completely apart from worries about cost effectiveness.
"The metrics we have right now--the ones we use for assessing vulnerability and for measuring the effectiveness of our investments--are all based on subjective judgments," says Adam Stone, an analyst specializing in security management for the financial-services industry. "They're fundamentally flawed."
Some security managers are grappling with ways to provide economic justification for their information-security investments via concepts such as ROI and net present value. One information-security manager at a major multinational company (both the manager and the company requested anonymity--see the section on disincentives for information sharing for some reasons why companies might prefer to remain anonymous) says the company's ongoing program to measure the ROI of its intrusion-prevention systems includes checklist items such as the cost of remediation of network problems flagged by the system.
Oracle took a similar approach when it wanted to change an intrusion-detection system within its data center. "We did an analysis of how many alerts we got, how many people it took to run those alerts down, and how many of those were false positives," says Mary Ann Davidson, chief security officer at Oracle. "For the [system] we had in place, we got something like 80,000 alerts a week, and the false-positive rate was 60% to 70%."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.