Is There a Business Case for IT Security?

By Tom Pisello

Security spending is one of the top five IT priorities for 2004, with spending expected to increase 15 to 20 percent this year. But even with companies devoting a larger portion of the IT budget to security initiatives, it is not necessarily sufficient to meet increasing risks. How can IT security officers make the case for the larger expenditures they need?

Scare tactics around the intangible fear, uncertainty, and doubt (FUD) of security risks are not sufficient bases for selling management on the necessary funding. Security proposals must be based on the financial impact to the company so that the bottom-line implications of implementing the proposal can be fairly assessed against other priorities.

So what is the business case for security investments? The risks of security issues can be quantified, as can the cost of mitigating the risk. The cost and risk-mitigation benefits can then be compared to calculate key financial metrics such as payback and return on investment (ROI).

Of course, unlike other business cases, the risk mitigation is a "soft" benefit in that while there is a benefit to preventing an incident, no one can say with certainty that the incident would have occurred without the mitigation effort. Thus, if the proposed security solution is not purchased, it is still possible that a breach will never occur.

This issue of soft versus hard benefits does not invalidate the security business case, but it does make it unique. While almost all business cases include both hard and soft benefits, most of the important benefits with security business cases are soft.

The first step in developing a business case for IT security solutions is to start with the potential benefits of the proposed solution. They can be grouped into four major categories.

The first category covers the savings that can be realized by reducing security's total cost of ownership. New security solutions can lower life-cycle costs for hardware, software, maintenance, labor, and services. This benefit should not drive the decision, as the main goal is to reduce risks, but many security business cases can pay for themselves in fewer than 12 months based on these hard savings, particularly in the areas of security policy and patch management.

The second category addresses the savings that would accrue from reducing the cost of responding to and resolving incidents. Every time a breach occurs, the company incurs a cost as the IT department resolves the issue, repairs damage, and conducts forensics to prevent the threat from reemerging. New security investments can mitigate the probability of a breach, and if a breach does occur, reduce the effort needed to respond. They can also shorten postmortem forensics.

In addition to the cost of remediation, most breaches also cause business damage in the form of productivity losses, as employees and customers struggle with infected machines and related downtime. This is the third category of savings. Although this soft benefit is harder to estimate, the business impact is the largest cost when a serious breach occurs. New security investments reduce the probability that a security breach will occur, and thereby limit the potential for downtime and lost business.

Softer still and even harder to estimate is a security breach's collateral damage, including litigation fees, fines for information disclosure, and harm to the company's overall image and brand. Security solutions can minimize the risk and scope of the breach and, therefore, lessen the risk of collateral damage.

One of the approaches that Alinean (where the author works) has taken in seeking ways to quantify security's bottom-line benefits is to develop a list of six types of security risks an organization faces. We have then quantified the average business and collateral damage per security breach. These numbers help justify security purchases by identifying estimated costs mitigated for various types of incidents. IT security professionals might look at their own company's loss experiences to develop similar numbers.

Based on historical data, the most costly breaches are data destruction or damage and information theft and disclosure. On average, responding to and resolving this type of breach will take 120 hours or more of IT staff time, with a cost estimated at $350,000. Then there is the cost associated with having to reconstruct or face the loss of the company's intellectual property contained in the corrupted data, which has been estimated at $250,000 per incident. These types of breaches occur on average once for every thousand users, creating the potential for large companies to spend millions each year.

Denial of service attacks are typically the next most costly, with damages averaging $122,000 for each successful attack. These require upwards of 32 hours per system to remediate, and usually require immediate attention from the IT staff to restore service. For enterprises that rely more heavily on Web sales and access, these damages can be significantly higher.

Malicious code attacks--viruses, worms and Trojans--are the most high-profile security breaches. According to the Computer Security Institute and the FBI, 82 percent of organizations have suffered a malicious code attack, the most frequent type of security breach, and the one most likely to cause financial damage. These take an average of four hours per system to fix, and cost $24,000 each. If the malicious code is coordinated with a denial-of-service attack or data destruction, the costs increase exponentially.

Other security breaches, such as policy violations, errant user behavior, and physical theft, are more common for organizations. As many as 25 percent of former employees leave with company assets--costing on average up to $5,000 each time--while user wrongdoing, whether or not intentional, happens dozens of times a year and costs about $20,000 each time.

Of course, using the company's own security breach experiences adds credibility to the accuracy of the risk assessment. Each organization differs based on its industry, hiring practices, and security policies. The security team should keep a log of breaches and their costs, and use this data to build the business case.

Cost is only one consideration, however. Another important factor is the probability of occurrence. To calculate the probability of the risk, Alinean has developed the following formula: Predicted number of breaches per year = personal probability of security breach occurring ´ estimated number of incidents per 1,000 users ´ the multiple of 1,000 users.

For example, one company we work with in the legal industry did not have a best practice antivirus program in place. We first calculated their estimated virus-attack profile as follows: Predicted number of breaches per year = 75% ´ 2.1 [per 1,000 users] ´ 4 [4,000 users] = 6.3.

The company compared this prediction against experience and support logs and indicated that it was close to the expected incidents per year. The incident mitigation labor costs for IT were then estimated to be $24,000 per incident, costing the company about $150,000 in direct IT costs for mitigation. Productivity losses for employees, and business impact was well over double this cost per year.

With this estimated risk, the IT team was able to convince management that increased security spending on the company's existing antivirus software was justified; the IT group obtained the resources to implement the program correctly.

In doing these assessments, a company must also correctly identify the assets that need to be protected. Estimating damage costs using industry averages without knowing the specific assets at risk for the company and their values may wildly overestimate or underestimate the potential business risk. It's important to match each risk and the potential scope of the damage an incident could cause against the business assets--such as key company databases, Web sites, portals, systems, and facilities--to assess the potential extent of the damage.

Like all business expenditures, security investments require metrics-based justification in the boardroom. FUD warnings lost their value long ago. Security managers who want to procure the funding they need must justify that spending. Learning to quantify the hard and soft security costs is the first step.

Tom Pisello is the CEO of Orlando-based Alinean, which specializes in ROI consultancy.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.