Risikomanagement
Calculated Risk
FIND AND USE DATA THAT'S OUT THERE. The most common misconception CSOshave about ROSI is that there isn't any data available to even startan ROSI study. There's a ton of it, and the body of usable statisticsis growing. Some is free for the taking, other data you might have topay for, but the actuarial figures do exist. (CSOs who come from aphysical security world probably know this, as they've dealt with riskof theft, natural disasters and so forth for a long time and havesought out the data on the probability of such events.)
CERT and Riptech, for example, have combed over data to discover someincredibly useful facts. They measured attacks per company, whichright now come in at a rate of 2,112 attacks over two years. What'smore, at current growth, that number will grow to 8,403 attacks percompany over two years. That's a fourfold increase--which strengthensthe ROI argument. Mitigation now will protect against a growingthreat. In addition, CERT built some complicated math that showssecurity spending is a diminishing-return game; that is, as you spendmore, the probability of attack goes down but at an ever-slowing rate.By crossing this data with what are called indifference curves (toocomplicated to get into here), you can actually determine a kind ofsweet spot of security spending for your organization.
Consultancy @Stake has published well-known numbers that prove thatthe earlier you build security into applications, the higher thereturn. The company's researchers now believe they probably lowballedtheir 21 percent ROI for incorporating security from the start.
You need to cull as much of this kind of data as possible and keep itin your toolbox because the more you set out to show returns onsecurity, the more you'll be coming back to these kinds of figures.
CANVASS TO GET WHAT'S NOT OUT THERE. If the first piece of advice is"go to the library," then this is "play detective." You must developcertain numbers, like the cost of incidents to your organization andthe probability that a given incident will occur. While these numberscan be based on research, to hone them for your situation requirescanvassing of the relevant players--including business managers withinyour company, peers at similar companies, economists, consultants andso on.