Saturday, November 10, 2007

Calculating ROI to Justify Information Security and Compliance Budgets

Executive Summary
The way to get the executive team to pay attention is to provide a quality ROI on any new initiative. If the Boards of Directors can’t understand the needs of various departments then the only way to their pocketbook is to present them with a bottom line return on their investment.

In the case of procuring a security budget executives are often less than forthcoming because of the lack of information they receive from department heads. Boards of Directors and executive teams respond most favorably to requests for information security budgets which are cost justified with a simple ROI business case.

The business case needs to specifically show how potential costs associated with liability, caused by security breaches, may be minimized by implementing a sound security infrastructure. This can be accomplished by allowing a third party to do a security audit that provides evidence of security risks.

This approach of utilizing an ROI to cost justify a security budget is the same premise used to purchase insurance for commodities like office furniture, computers, etc. The difference is that if a security breach occurs as a result of not implementing the proper protection procedures, the associated costs far outweigh the costs to replace furniture.

The potential liabilities, such as loss of production and/or loss of reputation are translated into actual dollars in the ROI. The security budgets are created by taking a small percentage of the cost of the potential losses and applying it to preventative measures.

As such this calculation of ROI is actually a calculation of the % of the cost to avoid the cost of liability compared to the potential cost of liability. This is similar to the methodology for calculating the financial benefit of insurance for commodities such as office buildings, furniture and computers. []

Since the cost of a security infrastructure often falls within about the same price ratio of commodity insurance, one would think this cost justification would be easily sold to an executive committee.

This is often the case, particularly when the business risks identified in the business case are based upon hard evidence of actual security risks. Actual security risks can be identified by evidentiary security audits. These audits are performed by impartial third parties, with an expertise in identifying both technical and policy risks.

Methodology of Calculating ROI
There are three components to the ROI calculation:
Identifying actual security risks and translating them into quantifiable business risks.
Identifying how to mitigate the security risks, and determining the associated cost.
Calculating the ROI as the per cent of cost of mitigation divided by the cost of the risk.

The first step in identifying security risks is to identify security vulnerabilities, which can occur when there are technical and policy flaws. As a result, a network can be compromised in order to create a security breach. A typical risk scenario could be an incorrectly configured firewall, which could allow an Internet intruder to gain access to a corporate server containing Sarbanes-Oxley related financial files. The risk situation is exacerbated because the server software has not been patched (maintained) since the latest security threat made the server vulnerable to a security attack.

The example of a security risk scenario above deals with security vulnerabilities which would be found with one family of audit steps, called external audits. In order to not mislead the reader, it is important at this juncture to understand that there are four different families of audit steps, which in turn are subsets of one classification of audits called evidentiary audits.

For clarity, best practice based audits deal with compliancy to standards such as ISO 17799. [2] These are high level standards and do not deal with the detailed implementation of an actual network. In contrast, an evidentiary audit identifies actual proof of existing risk. An analogy might be that a standards audit defines “how to….” And an evidentiary audit defines “what is…”

Figure 1
. Four Audit Steps

An evidentiary audit may be comprised of four steps, as indicated in Figure 1:
a.Employee Beh avior
Risks are identified relating to social engineering (ability to dupe an employee into giving information or physical access to an unauthorized third party) and identifying the critical control information “keys to the kingdom” held by the IT department.
b.Network External
Risks are identified from the perspective of how a network appears to potential Internet intruders or to potential wireless intruders.
c.Network Internal
Risks are identified relating to how employees attract liability by their Internet misuse; how servers, firewalls, and all other devices are configured and deployed; IT procedures; etc.
Risks relating to “locks, doors, fences, fire, intrusion, etc. (A physical audit overlaps an employee behavior audit.)

A crucial element of identifying security vulnerabilities is to also document the evidence of how the vulnerability was found। This evidence should be conveyed in a clear manner, such that an independent third party could verify the evidence, much in the way a financial auditor would review an audit trail.

At this stage the security vulnerabilities are described in very technical terms, and of absolutely no use to an executive team who may be asked to provide funds to mitigate the risks. In order to develop this raw intelligence into a business case, it is therefore necessary to translate these technical security vulnerabilities into business risks.

In the scenario above, the business risk would be that financial data is at risk of being modified, stolen, or deleted. The associated resulting liabilities could be:
1.Contravening Sarbanes-Oxley by using corrupt financial data, resulting in damage to the reputation and stock price.
२.Using “inside” information to manipulate stock prices, again resulting in damage to reputation and the stability of a stock.
३.Early disclosure of financial reports, again damaging reputation.

The next step is to quantify the costs associated with the risks, should they become reality and actual liabilities. A simple, time-effective method of allocating costs is by using an “executive straw pole,” for the executive team to estimate potential downside costs.

A sample executive straw pole, shown as Figure 2, identifies several business risks that were determined as the result of a security audit।

Figure 2. Sample executive straw pole identifying cost of risk

It is worth noting in the sample straw pole that the estimated costs associated with identity theft are quite significant. This is not surprising as identity theft is becoming a major financial concern for corporate custodians of personal information. [4]

Liability could be considerable to the custodian of private information of a group of people who suffered financially as a result of identity theft, where the custodian was found liable for insufficiently protecting the personal information.

As an example, if a group of 100 identity theft victims each incur $10,000 in legal and accounting costs to unravel their financial quagmire caused by the theft, and if many of them also suffer financial losses due to loss of employment, or financial losses due to damage to their credit rating, claims against the infringing custodian could be in excess of $1,000,000, plus legal expenses.

Identifying Risk Mitigation and Associated Costs

A security audit should not only identify the security risks, but should also provide high level recommendations to remedy or to mitigate the risks. These recommendations can of course be augmented by a CIO or CSO who deems the recommendations as strategic to a larger security plan.

The CIO or CSO can then request price quotations from various vendors of security technology and security services, as input for the ROI business case. The total of these costs are the mitigation costs.

Calculating the ROI
The totals of the cost of risk and the mitigation costs are used in the following formula:

ROI = % mitigation costs
cost of potential risk

Figure 3 shows a sample ROI business case, showing this formula in use, in conjunction with the potential risk costs identified in Figure 2.

Figure 3. Sample ROI business case

Outsourcing: An Alternative to Security Technology Acquisition
Executive teams of course always want the best ROI for any project, and optimizing security technology is no exception. Pitfalls for acquiring technology with a penchant for becoming
obsolete before it is installed are obvious and often become sources of embarrassment for the recommender. This problem is often exacerbated with delays or difficulties with implementation and tuning of sophisticated technology.

Therefore it is useful to consider outsourcing the security services with the associated features and benefits as a low risk, cost effective alternative to acquisition.

Some outsourcers will provide a pilot project as a proof of concept of the entire project, which can then gracefully be increased in scope to full production. This step minimizes the time to implement and the embarrassment of acquiring technology which is never actually implemented.

The cost of outsourcing also covers other “soft costs” which quickly can become hard costs upon implementation, such as:
b.Managing and monitoring the technology.

Outsourced services can be immediately expensed in most jurisdictions, from a tax perspective। Purchased technology may become obsolete and replaced before it is even fully depreciated on the books. Similarly, if technology is leased, the lifetime of payments may persist past the actual lifecycle of the technology. These ideas are summarized in Figure 4.

Figure 4. Financial benefits of outsourcing vs. acquisition of security technology

An example business case for outsourcing an IDS (Intrusion Detection Service) vs। purchasing and running the technology in-house is shown in Figure 5. The savings derived by outsourcing over a three year life cycle is about $173,000. From the business case one can see the savings are derived with respect to annual technology maintenance, training, tax savings, and delayed deployment.

Figure 5. Comparison of three year price of purchasing vs. outsourcing IDS

Creating an Ongoing ROI Cost Justification Process
Fundamental to ensuring an ongoing adequate security budget is keeping the executive committee fully engaged in the security process. It is incumbent upon the CIO and CSO to educate their executive peers on the principle that security is an ongoing process, and not a one time event.

As such, as the CIO and CSO successfully implement security infrastructure, it is critical they report on the results in terms of the initial business case used to cost justify the process. This can be successfully accomplished by proving with a business case that the investment in security had the planned payback.

As an example, continuing to use our example business case in Figure 3, we could assume that after implementing the incremental security budget there was still a security breach in the form of identity theft. The scenario might have been that an individual retrieved unshreded documents from the corporate dumpster and found enough personal information about 10 employees to subsequently write $225,000 in checks on their bank accounts. The resulting damages were $80,000 to the employer, to cover the costs of legal fees, interest expenses, and lost work days, suffered by the employee-victim.

Summarizing the financial specifics:
The total potential costs from a security breach(s) is $7,895,000.
The realized potential costs avoided are $7,815,000
The total mitigation costs requested for the incremental security budget is $75,000.
The realized % of mitigation costs are 0.95%.

It appears this business case proves the security plan was a success.

Conclusion and Call to Action
Obtaining an adequate incremental security budget does not need to be sidelined until the next security event or until the next year’s budget. CIOs and CSOs can compel executive teams and boards of directors to make funds available, with the appropriate ROI business case.

The most convincing case is based upon real life evidence of risks faced by their organization, and a financial plan of how to mitigate these risks. It is important to involve the executives in the process by asking for their participation in a straw pole to determine the costs of risks becoming realities. In doing so, the responsibility of addressing the corporation’s security needs clearly becomes an executive decision that cannot be avoided.

Executives understand risk and dollars. Those are the only terms with which to describe an ROI information security budget request.


[1]Typical annual insurance rates for commodities are about 1.5% - 2.5% of asset replacement cost. The author has observed (over many business cases) that annual security budgets can similarly be about 2% - 4% of potential security breach related costs.
[2]Evidentiary and standards based audits are classifications created by the author for the purpose of clarity. This differentiation and categorization is not generally found in security literature.
[3] Internet reference to ISO 17799 may be found at the ISO web page

[4] There are many available sources of information describing the liability associated with identity theft. Several of these Internet based sources are as follows:

About the Author
Ron Lepofsky is the President and CEO of ERE Information Security Auditors, who are information security and financial disclosure / privacy compliance auditors. ERE provides services to large publicly traded corporations, the financial industry, electrical utilities, and to large law firms. Contact information: office: 905.764.3246email:

Sorry there was no room for Figures on the blog. Please feel free to view the Figures in the same article that includes the figures, found on the ERE web site under the index heading of "articles". Thank you. Ron L.