In-Depth

The New Security ROI

It's tough to determine an ROI for security investments. Looking at cost avoidance may be the way to go.

• By Rich Weiss
• 07/19/2005

Information security return on investment is a squirrelly concept. Security investments don’t generate earnings, so they don’t have ROIs in the traditional sense. Yet intuitively we know that investing in measures that defend the enterprise against electronic attacks is worthwhile. Information security breaches can have huge costs, albeit ones whose magnitude and probability are very difficult to estimate.

There are several ways that the lack of security can end up costing an enterprise. Here are but a few examples:

• Attacks that expose confidential customer or business partner information can cause severe damage to an organization’s revenue-generating relationships. Revenue growth will also suffer if potential new customers shy away from the victimized enterprise.

• The benefit of millions of dollars spent on brand advertising, PR, and other marketing programs over many years can be negated by a single, widely publicized security breach.

• Confidential-information exposure can result in heavy government fines or civil liability. Notifying thousands of individuals whose personal data was exposed can also be very costly.

• Theft of digital assets (such as customer databases, business plans, strategic partnership agreements, and source code) can greatly harm a company’s competitive advantage and ultimately its profitability.

• Malware and attacks that harm mission critical systems such as e-commerce servers can cause lost sales.

Unfortunately, forecasting the cost of damage to intangible assets such as customer relationships is nearly impossible. Enterprises also have little historical data to use in estimating their exposure to these threats. The inability to calculate loss expectancy, however, doesn’t mean investment in security isn’t justifiable. It just means the risk analysis needs to be approached differently.

Rather than trying to calculate it for your own company, one viable approach is to look at the typical or average impact a particular type of breach has had on other companies . For example:

• Last year, the State of California paid nearly $700,000 to alert 1.4 million state residents whose private identification information was stolen from a state university computer.

• Recently, a credit union group sued to recover $5.7 million in losses its members incurred when a Boston-area retailer allegedly allowed hackers to steal 40,000 credit and debit card numbers.

• Earlier this year, a data-gathering company allowed criminals access to the financial records of 145,000 consumers. The company’s stock price immediately fell over 10 percent, wiping out over $500 million in market value, and it hasn’t recovered in the four months since the incident.

• More generally, academic research has found that market caps fall an average of 5 percent following publicized exposure of confidential information.

Statistics like these should interest any CFO. They don’t address probabilities of occurrence, but some threats are worth protecting against simply because of the potential for severe or devastating loss. Most homeowners, for instance, don’t need to know the probability of their houses burning down to know they should buy homeowners insurance. Although determining how much to pay to avoid a huge loss still requires a qualitative judgment, you at least have a clear financial justification for some level of investment.

This justification is only valid if the investment truly mitigates major risks. Purchasing products that don’t provide the best defenses is worse than a waste of money, since it leaves the enterprise exposed to major losses that better tools could prevent. Choose the most effective solutions from vendors with track records of technical excellence in security if you want to achieve true security ROI.

Rich Weiss is the Director of Endpoint Product Marketing at Check Point Software Technologies and is CISSP certified. You can contact Rich Weiss about “The New Security ROI” at rweiss@us.checkpoint.com.