The New Economics of Information Security - InformationWeek
Business & Finance
01:47 PM
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

The New Economics of Information Security

Information-security managers must grasp the economics of security to protect their companies

As any victim of a significant cyberattack will tell you, there's a financial dimension to these crimes. Even for nonvictims, there's an obvious financial hit a company takes in implementing security measures to prevent losses. Those firewalls cost money and so do the salaries of the security professionals who manage them.

Unfortunately, relatively little attention has been paid to the economics of information security. There's occasional discussion of exorbitant losses in the more spectacular cases, but what about the indirect costs and negative impact on companies' reputations?

Information-security managers trying to defend budget requests have sometimes talked about return on investment, but only with mixed results. After all, what exactly is the ROI of a firewall? In a similar vein, you don't usually hear information-security managers talk about capital-budgeting techniques, like the net present value or internal rate of return, as applied to investments in infrastructure assets for information security.

However, CFOs certainly do regularly use capital-budgeting techniques, and non-information-security managers of other departments usually compete for funds based on them. Since information-security managers are up against those other managers for their fair share of the budget, it behooves them to catch up with their peers who already talk the talk of contemporary capital budgeting. Well, economists have recently turned their attention toward cybercrime, and now information-security managers are starting to borrow a few tools of the trade.


$2.7 million
is the average annual cost of proprietary information theft

$10 million
is how high the indirect costs associated with a theft can rise for a company of typical size, with a market cap of $500 million

Data: 2003 CSI/FBI survey

Aside from tussles over budgets, security managers who hope to make optimal decisions about security strategy may find that economic-modeling techniques lead them to better decisions, even completely apart from worries about cost effectiveness.

"The metrics we have right now--the ones we use for assessing vulnerability and for measuring the effectiveness of our investments--are all based on subjective judgments," says Adam Stone, an analyst specializing in security management for the financial-services industry. "They're fundamentally flawed."

Some security managers are grappling with ways to provide economic justification for their information-security investments via concepts such as ROI and net present value. One information-security manager at a major multinational company (both the manager and the company requested anonymity--see the section on disincentives for information sharing for some reasons why companies might prefer to remain anonymous) says the company's ongoing program to measure the ROI of its intrusion-prevention systems includes checklist items such as the cost of remediation of network problems flagged by the system.

Oracle took a similar approach when it wanted to change an intrusion-detection system within its data center. "We did an analysis of how many alerts we got, how many people it took to run those alerts down, and how many of those were false positives," says Mary Ann Davidson, chief security officer at Oracle. "For the [system] we had in place, we got something like 80,000 alerts a week, and the false-positive rate was 60% to 70%."

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll