Business & Finance
News
3/25/2004
01:47 PM
Connect Directly
RSS
E-Mail
50%
50%

The New Economics of Information Security

Information-security managers must grasp the economics of security to protect their companies

As any victim of a significant cyberattack will tell you, there's a financial dimension to these crimes. Even for nonvictims, there's an obvious financial hit a company takes in implementing security measures to prevent losses. Those firewalls cost money and so do the salaries of the security professionals who manage them.

Unfortunately, relatively little attention has been paid to the economics of information security. There's occasional discussion of exorbitant losses in the more spectacular cases, but what about the indirect costs and negative impact on companies' reputations?

Information-security managers trying to defend budget requests have sometimes talked about return on investment, but only with mixed results. After all, what exactly is the ROI of a firewall? In a similar vein, you don't usually hear information-security managers talk about capital-budgeting techniques, like the net present value or internal rate of return, as applied to investments in infrastructure assets for information security.

However, CFOs certainly do regularly use capital-budgeting techniques, and non-information-security managers of other departments usually compete for funds based on them. Since information-security managers are up against those other managers for their fair share of the budget, it behooves them to catch up with their peers who already talk the talk of contemporary capital budgeting. Well, economists have recently turned their attention toward cybercrime, and now information-security managers are starting to borrow a few tools of the trade.

INDIRECT
COSTS COUNT


$2.7 million
is the average annual cost of proprietary information theft

$10 million
is how high the indirect costs associated with a theft can rise for a company of typical size, with a market cap of $500 million

Data: 2003 CSI/FBI survey


Aside from tussles over budgets, security managers who hope to make optimal decisions about security strategy may find that economic-modeling techniques lead them to better decisions, even completely apart from worries about cost effectiveness.

"The metrics we have right now--the ones we use for assessing vulnerability and for measuring the effectiveness of our investments--are all based on subjective judgments," says Adam Stone, an analyst specializing in security management for the financial-services industry. "They're fundamentally flawed."

Some security managers are grappling with ways to provide economic justification for their information-security investments via concepts such as ROI and net present value. One information-security manager at a major multinational company (both the manager and the company requested anonymity--see the section on disincentives for information sharing for some reasons why companies might prefer to remain anonymous) says the company's ongoing program to measure the ROI of its intrusion-prevention systems includes checklist items such as the cost of remediation of network problems flagged by the system.

Oracle took a similar approach when it wanted to change an intrusion-detection system within its data center. "We did an analysis of how many alerts we got, how many people it took to run those alerts down, and how many of those were false positives," says Mary Ann Davidson, chief security officer at Oracle. "For the [system] we had in place, we got something like 80,000 alerts a week, and the false-positive rate was 60% to 70%."

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.