Information-security managers must grasp the economics of security to protect their companies
As any victim of a significant cyberattack will tell you, there's a financial dimension to these crimes. Even for nonvictims, there's an obvious financial hit a company takes in implementing security measures to prevent losses. Those firewalls cost money and so do the salaries of the security professionals who manage them.
Unfortunately, relatively little attention has been paid to the economics of information security. There's occasional discussion of exorbitant losses in the more spectacular cases, but what about the indirect costs and negative impact on companies' reputations?
Information-security managers trying to defend budget requests have sometimes talked about return on investment, but only with mixed results. After all, what exactly is the ROI of a firewall? In a similar vein, you don't usually hear information-security managers talk about capital-budgeting techniques, like the net present value or internal rate of return, as applied to investments in infrastructure assets for information security.
However, CFOs certainly do regularly use capital-budgeting techniques, and non-information-security managers of other departments usually compete for funds based on them. Since information-security managers are up against those other managers for their fair share of the budget, it behooves them to catch up with their peers who already talk the talk of contemporary capital budgeting. Well, economists have recently turned their attention toward cybercrime, and now information-security managers are starting to borrow a few tools of the trade.
INDIRECT COSTS COUNT
is the average annual cost of proprietary information theft
is how high the indirect costs associated with a theft can rise for a company of typical size, with a market cap of $500 million
Data: 2003 CSI/FBI survey
Aside from tussles over budgets, security managers who hope to make optimal decisions about security strategy may find that economic-modeling techniques lead them to better decisions, even completely apart from worries about cost effectiveness.
"The metrics we have right now--the ones we use for assessing vulnerability and for measuring the effectiveness of our investments--are all based on subjective judgments," says Adam Stone, an analyst specializing in security management for the financial-services industry. "They're fundamentally flawed."
Some security managers are grappling with ways to provide economic justification for their information-security investments via concepts such as ROI and net present value. One information-security manager at a major multinational company (both the manager and the company requested anonymity--see the section on disincentives for information sharing for some reasons why companies might prefer to remain anonymous) says the company's ongoing program to measure the ROI of its intrusion-prevention systems includes checklist items such as the cost of remediation of network problems flagged by the system.
Oracle took a similar approach when it wanted to change an intrusion-detection system within its data center. "We did an analysis of how many alerts we got, how many people it took to run those alerts down, and how many of those were false positives," says Mary Ann Davidson, chief security officer at Oracle. "For the [system] we had in place, we got something like 80,000 alerts a week, and the false-positive rate was 60% to 70%."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.