Many believe that demonstrating a ROSI in the enterprise is nigh impossible because there are no metrics that measure the ROSI unless a company is attacked or security is outsourced to a managed security provider. However, I've always been astounded by this attitude, as to me it appears that the most obvious point has been completely missed; organisations must begin with information risk assessments in order to evaluate the true effectiveness of their ROSI. . . .
Many believe that demonstrating a ROSI in the enterprise is nigh impossible because there are no metrics that measure the ROSI unless a company is attacked or security is outsourced to a managed security provider. However, I've always been astounded by this attitude, as to me it appears that the most obvious point has been completely missed; organisations must begin with information risk assessments in order to evaluate the true effectiveness of their ROSI.

Most of us read with interest the publication of the Information Security Breaches Survey 2002 (ISBS 2002) from the DTI and learnt that last year 44% of UK organisations suffered at least one severe security incident that cost on average £30,000. Although the DTI recognised that the appropriate level of information security expenditure clearly depended on an organisations business circumstances, they went on to make the broad recommendation that information security officers (ISO's) allocate between 3-5% (rising to 10% for high risk sectors) of their IT budgets to information security. Furthermore that they thoroughly evaluate the ROI of IT security expenditure as only 30% of UK businesses were doing so, and of this only 16% incorporated this into their normal business processes.

Today information risk is generally viewed in terms of threat, vulnerability and cost. If organisations are performing information risk assessments they are already aware of their risk profile; their threats, ease of exploitation, impact, and exposure levels; and have assigned them values and attributed overall costs. Organisations understand that there are levels of "acceptable" risk associated with trading and are therefore conscious of what risks their organisations are willing to bear. Strategic planning allows them to review the countermeasures and consider the costs ideally ensuring that these fall either around or beneath the original cost of the risk itself. By monitoring the effectiveness of the solutions deployed they have ensured that the ROI in IT security expenditure at best has been met; at worse is evolving.

The link for this article located at ebcvg.com is no longer available.