Late last year I read Matthew Rosenquist’s paper, Measuring the Return on IT Security Investments, over at Intel. I’m glad I have a few minutes to write about it.
The premise for the paper is simple: the implementation of a security measure (control) should result in a decrease in the number of security incidents for a given environment. Therefore, by quantifying these incidents over time — before and continually after the security control is implemented — we will produce a metric that will demonstrate the effectiveness and return on an information security investment.
I enjoyed the paper because it’s pragmatic and it properly set my expectations:
- It will not work in every environment: the bigger the environment, the better
- It uses quantitative metrics
- It does not strictly define a security incident, that’s left to the individuals using the metric
- It’s generally simple to follow and explain to non-security management
- It does not contain marketing fluff
A paper such as this helps to explain why operations and security are very closely aligned: a decrease in security incidents will also be a decrease in operational costs.
It’s also a very practical counter to the non-ROSI / non-ROI arguments that seem to crop-up from time to time.
Here’s a link to Matt on video discussing Intel’s Security ROSI.
Popularity: 16%
