218 A Practical Guide to Security Assessments
In the formula above, one aspect that is not specifically identified in the calcu-
lation that must be addressed is the ongoing cost related to implementing security
recommendations. In the calculation, costs related to the ongoing administration of
the tool (T) are not addressed. In the intrusion detection example above, there is
significant cost related to reviewing logs, incident response, and the ongoing tech-
nical maintenance of the intrusion detection system. This is something to keep in
mind as you determine ROSI.
When making recommendations, one aspect to think about is how well the
recommendation addresses the risk. This is an important concept, and it will be
evident when calculating ROSI. For most risks, you can have recommendations that
address the risk in different ways. Although it would be nice to have the best solution
to address a finding and risk, does the client really need it? For that matter, do they
even need something good? It is likely that all they need is a solution that is adequate
enough to address the risk. The reason why this is an important concept is that a
perfect solution might cost double or triple the amount of the adequate solution —
this has a significant impact on ROSI.
Some people do not go through this type of calculation and instead try to
demonstrate the cost benefit by utilizing the F.U.D. (Fear, Uncertainty, Doubt)
method. The theory with F.U.D. is that management will implement security mea-
sures out of sheer fear that something might happen. As people are becoming more
knowledgeable about security, F.U.D. is becoming less of a factor when deciding
whether or not to implement security measures. Consequently, this is not an advisable
method when justifying recommendations.
The bottom line is that cost benefit and ROSI must be considered when making
recommendations. For recommendations that require significant outlay of money or
resources or significant changes in processes, decision makers will certainly ask
questions on the cost benefit and the ROSI of implementing the recommendation.
It is really no different than what is done with other major projects. Being able to
demonstrate the cost benefit and the ROSI is like making a business case for the
investment. As security practitioners, we need to think in financial and business
terms to present an accurate picture to management. The trend now is that decision
making as it pertains to information security is resting with business unit personnel,
not IT. “The Yankee Group expects security budgets to increase in 2004. But com-
panies will no longer spend for security’s sake. The enterprise model for security
decision making has changed to include line-of-business managers. The biggest
discovery in this model is the shift in influence from technology decision-makers to
the lines of business.”
3
As many of the elements of the ROSI calculation are sub-
jective, the cost-benefit analysis will force you to make certain projections and
estimations about the probability of a security incident and the potential impact. It
is critical to have a good knowledge of the business to make the estimations required
in calculating ROSI. With time and experience, this becomes an easier process.
OTHER GENERAL RECOMMENDATIONS
After the actual security assessment is complete, some other long-term recommen-
dations should be considered. Making these recommendations depends on certain
AU1706_book.fm Page 218 Tuesday, August 17, 2004 11:02 AM