For years, the return on security investment (ROSI) hasn’t been calculated as much as it has been postulated. A positive ROSI was “nothing happened”. That fares poorly in budget reviews. The CFO wants a cost-benefit analysis. This is a problem because with security, it’s an apples and oranges comparison. How so? With security, costs are in dollars; benefits are not. The benefits of investing in security have always been characterized as mushy concepts that live far from the bottom line. The good news is that new research is coming. It demonstrates that the earlier you build security into the software engineering process, the less security costs (just as it costs less to build an alarm system into the plans for a bank than it does to install the alarm system once the bank is built). Lacking a specific ROI, the most you can do to justify spending is point out problems that others have had. Start a file of newspaper clips about companies that have had embarrassing security breaches. While there are few studies on the cost and frequency of security breaches, use them as best you can. The most often-cited surveys are a joint survey done each year by the FBI, the Computer Security Institute and another from Computer Economics. They’re focused on malicious code. Though these studies aren’t scientific by any means, they are a start. Full Story
About OODA Analyst
OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.