ROI MIT SICHERHEIT

Finally, a Real Return on Security Spending

18.02.2002
Von Scott Berinato

The Law of Diminishing ROSI

If you want to give CEOs and CFOs a ROSI they can love, show them acurve.

That's what researchers at Carnegie Mellon University (CMU) did in"The Survivability of Network Systems: An Empirical Analysis." Thestudy is as dense and dispassionate as its title. (So are itsbureaucratic underpinnings: It was done at the Software EngineeringInstitute in conjunction with the public-private cooperative effortcalled CERT, both housed at CMU.)

The study measures how survivability of attacks increases as youincrease security spending. Economists call it regression analysis.It's basically a curve showing the trade-off between what you spendand how safe you are.

To get the curve, the team relied on data from CERT, established bythe government in 1988 after a virulent worm took down 10 percent ofthe then-very-limited public network (what would become the Internet).CERT logged security breaches and tracked threats, mostly through thevolunteer efforts of the private and public organizations directlyaffected.

Zur Startseite