Return on Investment (ROI) is a common issue among corporate management. The question can seldom be answered to everyone's satisfaction. It is especially harder to answer in the information security context where a lack of data makes it difficult to quantify what exactly security spending earns.
The management knows the threat is there but they do not feel the threat. In other words, they cannot justify the spending as they do not have a clear picture of the returns. It happens everywhere. For example, no one buys a burglar alarm until someone they know is robbed.
For that reason, many security vendors also use the Fear, Uncertainty and Doubt (FUD approach to sell security. FUD is commonly practised to make a customer feel insecure about future product plans with the objective of encouraging the sale of security products. However, this method is hardly compelling especially when budgets are already stretched wafer-thin.
Security is always seen as an investment where cost is clearly delineated, and therefore requires a quantified ROI. What does one mean exactly by this "Return on Investment" - and apart from it, what other common metrics are used to measure security investments?
IT IS often difficult to quantify expected returns, while the costs can be clearly delineated; most of the time it is always more instructive to involve the consideration of "Cost of No Investment".
Other common metrics used to measure security risk include:
a) Annual Loss Expected (ALE) = the expected rate of loss multiplied by the value of that loss.
b) Security savings vs Benefit = A calculation based on the amount that can be saved by reducing the rate of successful attacks and damage per successful attack.
c) The Exposure Factor (EF) = A percentage of loss on an asset if...