Estimating Results

Previous page
Table of content
Next page

Estimating Results

Security has historically been hard to quantify in terms of its return on investment. Expected returns are usually based on the principle that the costs of not implementing security can far outweigh the costs of implementing it. We know that the costs of not implementing security can be devastating for those businesses that are subject to attacks, carelessness, or even simply bad luck. The costs can impact business operations, revenues, customer relationships, shareholder value, and even business life expectancy. These devastating effects can also occur within minutes, hours, or days.

The challenge has always been how to determine how much security is adequate. The law of diminishing returns and the unpredictability of the nature and timing of attacks means that no investment amount is ever enough to offer complete security. An organization must determine its own risk profile and the amount of risk it can tolerate.

Some of the suggested solutions can be on the higher end of security costs since they are newer, more powerful enablers for protection, detection, and reaction. Investing in security requires more planning than most packaged business application investments. For those business applications, all that is required is an implementation plan and solid program and project management. In the security arena, technologies need to be selected and implemented, but that is only part of the solution. A continual program of education, management, and monitoring is required. Security policies and procedures have to be living documents that are frequently updated to reflect changes in the nature of threats and vulnerabilities and in changes to the direction of the business. A constant vigilance has to be in effect and defenses need to be updated in real time with the latest patches and fixes. If all goes well, nothing happens. If things do not go well, nothing good happens.

A return on investment formula for security can take the cost of implementing security measures versus the costs due to losses if the measures are not in place. Costs due to losses can be measured in a variety of ways. They can include lost revenues, for example, from an online storefront, and costs for bringing the business back online and restoring systems and data to their original state prior to any corruption. In extreme circumstances, costs can also include the larger-impact, but more intangible, costs of lost customer confidence, lost customers, and reduced stock price.

A total return-on-investment formula can also include the cost savings in IT management of security that can be gained by moving toward centralized management and applications such as single sign-on. Single sign-on increases productivity by allowing end users to authenticate themselves once to gain access to a number of enterprise applications. These types of centrally managed applications and end-user convenience factors can make employees more productive even as users, devices, and applications proliferate. Without it, increased levels of security can be a drain on productivity rather than an enabler.

A basic return-on-investment formula for security is as follows:

Return on security investment = Tangibles + Intangibles = (Minimized business disruption + Increased IT productivity) / (IT costs) + Increased business resiliency

Investments in security can provide strong returns on investment from cost avoidance. The amount of cost avoidance is hard to predict, but increasing availability of industry statistics can help to profile the most common classes of attack and the costs that they can incur. As private industry and the Government align more closely to protect critical infrastructure after the terrorist attacks of 2001, there is hope that more data on security breaches will be shared. This sharing of data will help to build a more accurate profile of the costs associated with attacks and of the nature and frequency of attacks experienced by the business community. As we learn more about the types of threats and vulnerabilities, we can focus resources in the right areas with the right technologies and processes in order to prevent, detect, and react. By doing so, we can then refocus the business on the offensive, using emerging technology as a growth engine, secure in the knowledge that the defenses are squarely in place.

 


Previous page
Table of content
Next page
Business Innovation and Disruptive Technology. Harnessing the Power of Breakthrough Technology. for Competitive Advantage
Business Innovation and Disruptive Technology: Harnessing the Power of Breakthrough Technology ...for Competitive Advantage
ISBN: 0130473979
EAN: 2147483647
Year: 2002
Pages: 81
Authors: Nicholas D. Evans
BUY ON AMAZON
MySQL Stored Procedure Programming
Project Management JumpStart
SQL Tips & Techniques (Miscellaneous)
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy