07 November 2007

Return on Security Investment (ROSI)

Earlier this year, I prepared a presentation for a Security Conference, which includes a concept which I think other readers might find interesting. It's the "Return on Security Investment." Basically, the idea is to perform a Risk Assessment, and to calculate the probabilities of occurrence of various scenarios which can cause losses or other damage.

Next, you determine the most appropriate controls to mitigate or eliminate those risks, and determine their costs. For example, if you know that there is a 2% chance that the annual Spring rains will bring major floods, and you have a house near a river, you might expect that repairs of the damage caused by flooding could cost you 100,000 of your local currency. You consider various options for protecting your house, e.g., installing flood defenses, diverting the river, putting in basement pumps, etc.

Given that a 2% chance annual event is likely to occur at least once in 50 years, we can then analyse whether investing in counter-measures -- i.e., security controls -- is going to cost us more than the event itself. Assuming we normalize the monetary unit per time value of money (Net Present Value), a single loss event cost of 100,000 means an average cost per year of 2,000 (recall we expect this event at least once every 50 years.) So, if the capital and operational (CAPEX/OPEX) costs of the controls are more than 2,000 currency units, then it's probably not a good investment for us.

In which case, our next step would be to try to transfer the risk -- i.e., by finding an insurer who would sell us 100,000 worth of flood insurance coverage for say 1,800 units per year -- which would be a good financial decision, based on Return on Security Investment (ROSI.) Of course, our insurer would be likely to be using a similar basis of calculation -- but they have advantages of scale and usually superior sources of information on risk, and therefore may well offer a better price.

In the final analysis, the worst thing we can do -- is to do nothing, and hope for the best.

No comments: