Monday, November 3, 2014

Information Security - Cost Analysis

Reports indicate that the Information Security is now a Board Agenda and the security spending by enterprises is on the rise. This is more because of the raise in the data breaches worldwide and the increased hacking and cyber attacks. This impacting all enterprises, be it small, medium or large and across various segments, i.e. not only financial but also all domains. The increased exposure and financial damages associated with security risks have pushed enterprises to increase the budget allocations and mitigate if not avoid such risks.

The following recent predictions of Gartner influence the Information Security spending among enterprises:

  • By 2015, roughly 10% of overall IT security enterprise product capabilities will be delivered in the cloud.
  • Regulatory pressure will increase in Western Europe and Asia/Pacific from 2014.
  • By year-end 2015, about 30% of infrastructure protection products will be purchased as part of a suite offering.
  • By 2018, more than half of organizations will use security services firms that specialize in data protection, security risk management and security infrastructure management to enhance their security postures.
  • Mobile security will be a higher priority for consumers from 2017 onward.

In the best interests of the investors, any spending or investment should be backed up with an appropriate cost-benefit analysis. Applying this cost-benefit-justifications to Information Security function is gaining focus but remains a challenge. Quantification forms the basis for being able to perform the cost-benefit analysis. The advantages of quanti fication are its accuracy, objectivity, and comparability. In addition, quanti cation is the basis for calculations and statistical analyses. While costing is a comparatively easier aspect, quantifying the benefits is still a challenge as it depends on the occurrence of uncertain events.

Starting with the idea of a Return on Security Investment (ROSI) several concepts have been developed to support the decision for or against an information measure. On way to do this is to apply the concept of Net Present Value (NPV). NPV-Formula for information security investments could be as below:


The following are the four aspects of Information Security costs:

  • Information Security Management - This is about the costs associated with the Information Security function, which comprises of People, Process and Technology. Though quantifying this aspect of the cost is straightforward, measuring the benefits is not.
  • Incidental costs of Information Security related decisions - As we all know, Information Security is a cross functional task and every personnel and process in the organization need to contribute towards Information Security. As such, implementation of any security control will cause additional overhead in other departments or functions. For instance, regulating the fair use of the Internet will require some extent of involvement from the HR function in the form of policies, code of conduct, ethics etc. Quantifying of both costs and benefits is not as easy.
  • Cost of capital for Security investments - Like any investment, capital invested in security function has a cost and quantifying this element of cost is not at all a challenge.
  • Costs arising out of security incidents - This is more like a Risk Management and all the principles of measuring the risks apply here as well. The risk measure for security incidents can be measured as a product of the probability and the impact. However quantifying this in absolute value requires the identification of the impacted information and / or related resource and the value of such resource. Many people have opined that information is the currency of the organization, but it has a dynamic value, i.e. the value of information depends not only on its significance to the organization but also its significance to others.

A common way of categorising and structuring costs in a repeatable and comparable way is required to manage the associated challenges. Building on that basis it becomes possible to identify cost-drivers and to analyse di fferent security management approaches like the following:

  • Balance Sheet Oriented Approach - where the costs are categorized and quantified under personnel, hardware, software and services. This approach does not take into consideration of the cross functional aspect of the security function.
  • Life Cycle Oriented Approach - where the costs are categorized and quantified against the various life cycle phases of the security function. Typically, the life cycle of the security function would be in the lines of Plan - Do - Check - Assess, in which case the costs are quantified with respect to each of the life cycle phases. This approach takes the project management approach and can be useful for quantifying the incremental cost of a specific security initiative, but this approach will not be useful for assessing the costs for the security management function as a whole.
  • Process Oriented Approach - where the costs are categorized into direct and indirect costs at process level. Direct costs could comprise of People and Technology and the Indirect costs could comprise of cost allocated by various functions towards a specific process, the quantified costs of risk avoidance and risk mitigation. This approach can be customized further to suit the varying needs of the enterprise.
  • Control Oriented Approach - where costs are categorized with respect to individual security control, which can be added up to ascertain the cost for a security area. However this approach has challenges abound in putting a standard approach and framework for ascertaining the costs at control level. The costs that every control comprise of are that of a share in the fixed organizational overhead, in addition to the variable costs of people, technology and the processes.
  • Layer Oriented Approach - where information security costs are categorized against the different layers of the ISMS layers, namely Management System, People & Processes, Architecture & Concepts, Operational Measures and Pre-requisites.

While quantifying the benefits is not very easy, by applying the Quantitative Risk Analysis techniques, the cost of not implementing a specific security process or control can be ascertained, which can be considered as the benefit of implementing the control or process. Another technique that can be useful to categorize and visualize the cost-benefits is the modeling and simulation.