Kenneth F. Belva

Dr. Gordon: Information Security can have a positive return

Before I begin, I’d like to thank Dr. Gordon for an interesting exchange of emails regarding information security economics, specifically enablement and positive return through information security assets.

The information security ROI debate was quite heated at times, sometimes bloody. I’m glad consensus is starting to form in the industry and we can slowly begin to put the debate behind us.

Security enablement is the next topic with certain parties intensely aligned on the side of not possible, can in certain instances or is possible more frequently than believed.

Sam DeKay and I published a paper entitled, “Virtual Trust: How to Gain and Sustain a Competitive Advantage using Information Security“. We demonstrated through real world cases how information security mechanisms and protocols may be used to create trust and enablement, rather than simply “loss prevention.” We also made an effort to point out that enablement and loss prevention are not incompatible models and both are necessary to understand information security.

We have supporters (Microsoft, IBM/Watchfire) as well as critics (Rothman, Bejtlich). Although, somehow, the critics always shout louder…

I wanted Dr. Gordon’s take on the economics of information security, and specifically whether or not information security can be used as enabling mechanisms. I also wanted to know if this constitutes a positive return, rather than loss prevention.

Please read all correspondence before commenting. Here is our exchange of emails.

Dear Ken:

There are numerous empirical studies which show that information security breaches can cause significant economic losses for an organization. Thus, it is common to consider information security investments as “cost savings” projects. To the extent such “cost savings” projects are successful in helping an organization avoid some security breaches, they clearly assist in preserving an organization’s revenues (or wealth). Thus, individuals who argue that information security activities help preserve the wealth of an organization are certainly correct.

However, the above is not the end of the information security story from an economics perspective. If an organization can distinguish itself as having much better information security than its competitors, then that organization may well derive a “competitive advantage” (at least in short-run, until competing firms catch-up in terms of security) that results in increased demand for the organization’s physical product(s) and/or service(s). The increased demand for a firm’s product is clearly creating wealth for the firm (i.e., creating business value). The extent to which such wealth can be created will vary from industry to industry. For example, firms that operate in industries that rely heavily on Internet-based sales and/or Internet-based transactions are prime candidates for striving to achieve such “competitive advantage.” Firms that operate in industries that rely heavily on the notion of “trust” are also good candidates for striving to achieve such “competitive advantage.”

In sum, the argument that information security activities will help to preserve an organization’s wealth is certainly true. However, it is also true that information security activities can also help an organization to develop a “competitive advantage” that will result in creating wealth for an organization.



I then asked for clarification:

Hi Larry,

Thanks for your earlier reply.

Just to clarify a bit:

Can we also say that information security mechanism or the combination thereof (for example, digital certificates, authentication, DRM, etc.) enable businesses to create trust between parties, create new streams of revenue and could therefore be considered business enablers as well as be considered instrumental in creating a positive return? Might we say that, in certain cases, even though information security mechanisms are a necessary but not sufficient condition for revenue generation, these mechanisms can play other roles than simply “loss prevention.”

Thanks for your time.



To which he replied:

Yes, I would agree with all of the points noted in your [above] note. I was attending the annual American Accounting Association meeting (in Chicago) for most of last week. As you know, being away for the better part of a week means you play catch-up for another week. Thus, I gave you a quick answer (close to 1 a.m. in morning) to an important and complicated issue.

Virtual Trust is a defensible position. It also seems to me important to discuss how information security practices may also be viewed as enablers — both technically and economically — instead of only as loss prevention mechanisms.

My hope is that this post opens a dialog for people who are interested in stepping out of their “loss prevention” comfort zone.


  1. Adam Aug 27, 2007 at 12:18 pm | Permalink

    My comments are in “Security Advantage? I don’t buy it” which I just posted.

  2. Iang (GP) Aug 27, 2007 at 6:41 pm | Permalink

    Hold on, this sounds like taking marketing / MBA speak and turning it into proof of necessity.

    Of course security MAY translate to better revenues … but does it? I say no, in general. History is replete with examples of winners who ignored security, and losers who concentrated on security.

    I postulate on why this is in a series of rants called GP, and the conclusion is … unfortunately … do not put in security until the enemy tells you where and when.

    Especially, trying to sell “trust” is aligned strongly with deception, confusion, and ultimately large losses. The days are long gone when you can simply sell security on a compelling story; now, you will have to show it.

  3. Kenneth F. Belva Aug 27, 2007 at 7:03 pm | Permalink


    I have replied to your post here.

    I think that part of the Gordon-Loeb model is loosely aligned to your comment to “not put in security until the enemy tells you where and when”

    I also think, Iang, that my reply to Adam will address some of the issues you raise

One Trackback

  1. […] See Ken Belva, “Dr. Gordon: Information Security can have a positive return.” […]

Post a Comment

Your email is never published nor shared. Required fields are marked *