The cost of enterprise security vs the cost of security breaches

How to calculate ROI in terms your CFO understands

Firstly, we need to calculate ROI in a language CFOs understand. CFOs don't see the intrinsic value of security systems, and won't be swayed by soft terms like prestige and reputation. Instead, they'll want to see hard numbers like:

€Total Cost of Ownership of the security solution;
€Effective savings from reducing acknowledged IT risk exposure;
€Reduced staff levels or costs, or staff deployed in other areas; and
€Reduced licence & maintenance costs for systems made redundant by the new solution.

When translating IT security and operational improvements into tangible figures, you should include risk-adjusted costs like:

€The impact of a security breach on system downtime and productivity;
€The cost of losing valuable IP or confidential data;
€Penalties for non-compliance with government/industry regulations; and
€Safeguarding the mission of a government agency.

The following abridged ROI analysis was provided by a prospective client and quantifies annual savings from a specific technology investment using the Annual Loss Expectancy (ALE) principle. The calculation takes into account the likely business cost of a security incident and multiplies it by the chance of the incident occurring in a year. This is best done by assigning conservative probabilities to potential risks and agreeing on their likely cost impact.

The figures below will vary depending on each organisation's individual threat risk assessment, and the levels of acceptable risk reduction.

POTENTIAL RISKY EVENT IMPACT PROBABILITY VALUE AT RISK AGREED RISK REDUCTION FROM SECURITY INVEST'T RISK MITIGATED BY SECURITY INVEST'T
Network down due to virus $10,000,000 0.50% $50,000 0.20% $20,000
Critical Process IP stolen $25,000,000 1.00% $250,000 0.40% $100,000
Customer data leakage $15,000,000 1.00% $150,000 0.40% $60,000
Fraud by employees $1,000,000 1.00% $10,000 0.40% $4,000
Pricing data leaked to comp $25,000,000 0.20% $50,000 0.10% $25,000
HR details stolen $1,000,000 2.00% $20,000 1.00% $10,000
Reduce security staff by 5 $500,000 100% $500,000 60% $300,000

TOTAL PER ANNUM $1,030,000 $511,000 $519,000

Cost calculations for cleanup, risk mitigation, lost productivity and regulatory penalties will also vary with each organisation. The company in our example also listed (in its own words) a number of soft benefits which weren't part of the ROI justification:

€Ability to visualise transactions and systems usage and across the enterprise;
€Capacity for real-time IT event monitoring & control;
€Improved compliance and information governance
€Maintaining complete logs of event data for defending legal actions.