ROSI - Return on Security Investment
This week in our CIS 608 class, we are dealing with measuring Information Security Management in terms of quantitative ideas such as ROSI, ALE, and SLE. (see diagram above)
ROSI = Return on Security Investment
ALE = Annual Loss Expectancy
SLE = Single Loss Expectancy
I believe that these are ideas that are outdated throwbacks to the Insurance Industry and calculations related to damage claims, investments, and loss payouts.
I might also add to the mix here that these are measurements for which people will be tested and measured when they take exams like the CISSP and the CRISC.
But despite their longevity as standard ways to define the effectiveness of Information Security, I believe that ROSI, ALE, and SLE are now obsolete I will would like to add my own thoughts here about measuring ROSI.
I think that here in the second decade of the 21st century, we need something better to help measure the effectiveness of Information Security Management programs. In my opinion, a better idea on measuring the effectiveness of an Information Security Management program would be to measure and quantify benefits like these:
- Business Revenues and Opportunities gained because the implementation of a solid Information Security Management Program
- Business Revenues and Opportunities that a company retained because of the implementation of a solid Information Security Management Program
- Awards achieved, such as Industry Recognition Awards because of the implementation of a solid Information Security Management Program
- Compliance penalties and/or regulatory penalties avoided because of the implementation of a solid Information Security Management Program
- People that kept their jobs because of the implementation of a solid Information Security Management Program
- PR campaigns and damage control campaigns that that were avoided because of the implementation of a solid Information Security Management Program
These are just a few ideas about how to create a better set of metrics with which to measure the effectiveness of your Information Security Management Program. I will be writing a lot more about this in the very near future.
Feel free to comment below or better yet, e-mail me with your ideas: slater@billslater.com
Thanks.
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
Chicago, IL
United States of America
No comments:
Post a Comment