IT security is not an end in itself, but crucial to business success. The return on security investment (RoSI) serves as a decision-making aid for IT security investments. But it is not always useful. What are the problems and opportunities to be evaluated?
Return on Security Investment (RoSi) as A Decision-Making Aid
If you look at IT security spending from a business perspective, it’s not easy to calculate a return on investment (RoI) for security investments. There is no doubt that a security budget is indispensable, but what directly determinable benefit is generated?
The problem lies in the fact that security investments are defined by the prevention of damage, but the key figure of ROI is only used to determine a directly created benefit. As a result, the return on security investment (RoI) must be determined differently.
Classic RoI and IT security
In business administration, RoI is used to describe a profitability indicator for an investment, which is intended to help in deciding whether it makes economic sense to make it at all or how an investment has developed over time in terms of return. Accordingly, for the calculation of the RoI, the return (benefit of the investment) is put in relation to the costs of the acquisition.
However, this definition of RoI only works for investments that generate positive monetary results, such as cost savings or revenue increases. Investments for IT security do not directly increase revenues, nor do they provide immediate payback. Rather, this is a matter of planned risk management that contributes to loss prevention and risk mitigation.
The RoSI metric, on the other hand, aims to determine how much damage could be avoided by the IT security investment.
Important prerequisites
First of all, the security management process should be practicable and deliver actionable results. Furthermore, the figures used must reflect reality and be as easy to determine as possible.
Since possible threats must be taken into account for the RoSI coefficient, the estimates should be as accurate as possible so that it becomes a reliable key figure that can be used for IT security planning. Of course, the effort required to collect the necessary data must be commensurate with the intended benefit.
For example, it is essential to have a precise understanding of the security risks in question and to make a good assessment of each corporate asset that the measure is intended to protect. In this context, it does not help to take data from other companies without knowing exactly whether it is appropriate to the business or the risks involved.
Problems with risk assessments
The following problems must be considered when identifying and weighing risks:
- The recording of risks is difficult, data is not available or incomplete, which makes simulations necessary.
- The development of technology and business processes runs contrary to long-term risk considerations.
- Communication and psychology of those affected are misjudged.
- Management does not take “IT security” seriously enough.
- The work steps “testing” and “implementation” are often mixed up.
- Important security questions are asked too late because the answers might be uncomfortable.
Only a neutral approach to the respective risk factors and their objective evaluation can ensure that the decision whether or not to make IT security investments is the right one. This means that in any risk model, the dimensions of benefit and risk must be identified and compared.
To do this, the company should make decisions collectively and across divisions for the most realistic results possible. It should be noted that these data are usually empirical values and simulation calculations that do not necessarily correspond to reality.
RoSI – a quantitative risk analysis
In contrast to RoI, RoSI is based on an assessment of the specific risks to be neutralized by investment in security. To calculate the RoSI ratio, the following parameters must be considered:
Annualized Loss Expectancy (ALE). This refers to the total monetary loss per year resulting from a specific risk if a measure is not funded. The ALE is calculated as SLE x ARO.
The single loss expectancy (SLE). For this, the data and other IT resources must first be inventoried. Subsequently, the direct costs (technical investigations, penalties) and the indirect costs (business downtime, increased customer churn rate) for damages or losses are added up.
Annualized Rate of Occurrence (ARO). This requires estimating how often an incident or threat occurs within a year. Often, this number can be obtained from the documentation of previous security incidents. This means that if a threat occurs within the last ten years, the ARO is 0.1. If, on the other hand, the threats occur around ten times in one year, the ARO is ten.
The mitigation ratio describes the percentage of risks that would be covered by the planned investment. This percentage is also based on an assessment. Here, a self-selected assessment algorithm should be used. Although this may be inaccurate, it is possible to compare the relative value of different investments in a repeatable and consistent way, at least over time.
