Due to the discussions produced over the last few days, I took the time to ask Dr. Lawrence Gordon and Dr. Martin Loeb their opinion on the security ROI issue. For those of you who do not know, Gordon and Loeb wrote the book Managing Cyber Security Resources: A Cost-Benefit Analysis. I’d like to thank Dr. Gordon for his reply.
Here is the email of Dr. Gordon in full:
Thanks for your e-mail message concerning the question: Does Information Security have an ROI? It is important to realize that there is a very large body of academic and practitioner oriented literature in accounting and economics (going back to at least the early 1900s) that addresses the more fundamental issues of: (1) ROI vs. a real economic rate of return (usually called the IRR), and (2) maximizing the ROI (or IRR) is, in general, not an appropriate economic objective. The above noted, it is conceptually possible to compute the ROI for information security investments, but there are significant measurement problems with such a metric. Accordingly, those who argue that you can compute an ROI for information security investments are technically correct. However, those who argue that an ROI for information security investments has significant measurement problems and therefore should not be computed, certainly raise a valid concern.
Rather than trying to derive the ROI of security investments, a much better strategy is to work on the related issues of deriving an optimal (or at least desirable) level of information security investments and the best way to allocate such investments. This strategy is the focus of the Gordon-Loeb Model (for a brief summary of the focus of this model, and a link to the actual paper, go to: http://www.rhsmith.umd.edu/faculty/lgordon/Gordon%20Loeb%20Model%20cybersecurity.htm
Following the link in Dr. Gordon’s email we find part of the Gordon-Loeb model described as such:
The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.
From the description above, we do understand Information Security to have a return.
At this point , I thank everyone for their security ROI comments: debate makes the blogosphere healthy. That said, I plan not to debate the security ROI issue in the future. Simply put: I’ll leave it others who are more knowledgeable in this particular area of information security.