CIS 608 Logo

CIS 608 Logo
CIS 608 - Information Security Management

Thursday, October 27, 2011

Post 049 - CIS 608




Measuring Return on IT Security Investments


The two diagrams above are part of an additional approach on measuring the return on IT security investment. These are from a white paper that was produced in December 2007 by Intel Corporation.

As I stated in Post 046 - CIS 608, I really believe that an organization must consider additional factors when trying to uncover and quantify the real return on IT security investment. As I stated earlier, those factors that should be considered are:

  • Business Revenues and Opportunities gained because the implementation of a solid Information Security Management Program

  • Business Revenues and Opportunities that a company retained because of the implementation of a solid Information Security Management Program

  • Awards achieved, such as Industry Recognition Awards because of the implementation of a solid Information Security Management Program

  • Compliance penalties and/or regulatory penalties avoided because of the implementation of a solid Information Security Management Program

  • People that kept their jobs because of the implementation of a solid Information Security Management Program

  • PR campaigns and damage control campaigns that that were avoided because of the implementation of a solid Information Security Management Program

What is also interesting is that this week, per the directions in our 2010 text book, Whitman, M. E and Mattord, H. J. (2010). Management of Information Security, third edition. Indianapolis, IN: Course Technology, you see a business trend toward using this method to quantify the value of investment on controls to increase information security and reduce risk:


It is based on determining two sets of Annual Loss Expectancy (ALE).

The first ALE is before the application of information security controls.

The second ALE is after the application of information security controls.

ALE is based on this calculation:

SLE * ARO = ALE

Where:
SLE is the Single Loss Expectancy for an incident
ARO is the Annualized Rate of Occurrence (Example 1 incident per month would be an ARO of 12.)
ALE = Annual Loss Expectancy

=======================================================

I think the important lessons here are that:

1) Management is looking for ways to quantify and justify the amount of money spent on IT security management controls

2) Risk must be reduced, but only to the degree that management can cost justify it and also is willing to accept the residual risk that remains

3) Even though the 2007 model and the 2010 model for measuring the effectiveness of money spent on information security controls are similar, the models for justifying and quantifying the money spent on information security may still be in a state of flux if they can change that much between December 2007 and when our book was published in 2010.


No comments:

Post a Comment