C. Warren Axelrod

A Return to ROSI: The Economics of Security

It has been interesting to observe that two posts on ROSI (return on security investment) have been on this web site’s most popular list for more than a month. And it is further of interest in that the two posts take somewhat opposing views, which is actually quite representative of the dilemma that information security professionals are facing. Many agree with the general concept of risk assessment and risk-return analysis. The question is whether it is in fact possible to derive the inputs, consisting of probability estimates relating to losses incurred and losses avoided or to measure intangible costs and benefits. You can either dismiss the whole ROSI approach as being undoable or, as I described in my very first column, you can make a couple of assumptions, derive some estimates and come up with an answer that improves decisions and reduces risk.

I recall a Scottish mathematics professor (which is not surprising given that I attended Glasgow University), who was attempting, with only moderate success, to imbue his class of engineering students with a sense of the beauty and elegance of mathematics. In feigned annoyance, he explained that the difference between engineers and physicists (or mathematicians) is that the latter will look at a problem and deem it to be unsolvable, whereas an engineer will make a few simplifying assumptions and build it – and guess what? It works! You should know that this was at a time when the Physics Department at Glasgow University was still called the Department of “Natural Philosophy.”

I admit it, I’m an engineer at heart and by training. I don’t see the point in all these intellectual gyrations over the meaning of “return” in ROSI, the accuracy estimates of the probabilities and magnitudes of losses and the consequent validity of risk numbers. Spending my formative years in Scotland taught me the importance of common sense. The Scots are ever pragmatic (they had to be in order to survive the rugged life in the Highlands and the attacks of the Gaels, Celts, Picts, Scots, Vikings, Romans, English and other such ne’er do wells) and so have no time for puffery. They just want to get the job done. That is probably why the country is so well known for its engineers; counting among its numbers Lord Kelvin, who (unfortunately, in my view) originated the mantra “You can’t manage that which you can’t measure” – and John Logie Baird, the true inventor of television!

So what brought me, an engineer, to security economics? Well, I decided to take a masters degree in economics in Glasgow University’s “Political Economy” Department, which, as you might guess, was not in any way mathematically orientated – a difficult cultural change for an engineer. Lecturers would apologize for having to draw graphs on the blackboard, taking care to explain each time that “this is the x-axis, and this is the y-axis.” From Glasgow I went through a second culture shock by entering a doctoral program at the Johnson Graduate School of Management at Cornell University where I studied managerial economics under such luminaries as Hal Bierman and Sy Smidt, among the fathers of capital budgeting and decision-making under uncertainty. I chose as my thesis topic the economic evaluation of computer resources, an area that was being championed at the time by later-to-become Nobel laureate William F. Sharpe in his definitive book The Economics of Computers.

Scroll forward several decades … Having held a series of staff and line IT management jobs, mostly in financial services, I moved into information security full-time more than ten years ago. Only within the past few years did I become aware of work being done on security economics by Ross Anderson at Cambridge University and by Larry Gordon and Martin Loeb of the Robert H. Smith School of Business at the University of Maryland. Quite coincidentally, Ken Belva, the editor of this magazine, introduced me to Professor Gordon, who, I was delighted to learn, had majored in managerial economics and was very familiar with the work of Bierman and Smidt.

On May 1st I was privileged to meet Larry Gordon in person, as we were both participating on a panel at a Financial Fortress Leadership Group (FFLG) meeting in New York. FFLG is sponsored by Ernst & Young and organized by E&Y Director Bob Gleason. The excellent bimonthly meeting assembles senior information security professionals in financial services industry in the New York area. It was a stimulating meeting with enthusiastic dialog between presenters and attendees. We quickly discovered the high level of audience interest in learning how to use microeconomics to justify investments in security-related resources. Signed copies of Gordon and Loeb’s book, Managing Cyber-Security Resources: A Cost-Benefit Analysis, were distributed to attendees.

The third member of the panel was Bob Reinhold, from E&Y, who had co-authored, with Allen Ureta, an article on IT effectiveness in the Winter 2007-2008 issue of E&Y’s magazine CrossCurrents. This article was actually the catalyst behind the FFLG session. I had read his article and suggested that we have a meeting on the subject. Bob Gleason said that the meeting topic had to be about information security, not just about IT. That’s when I realized that if one substituted “information security” for “information technology” in Bob’s article, practically every recommendation was applicable to infosec. We were then very fortunate to have Larry Gordon agree to join the panel.

So what’s the point of this somewhat lengthy story? Well, the point is that there is an emerging aspect of information security that you should be aware of and learn more about. The Gordon and Loeb book is a good place to start. It is important for information security managers to understand the fundamentals of microeconomics and apply them to budgeting and investing decisions relating to security resources. This approach has already taken hold in the broader IT world, so not only will it serve to improve decision making for security but will facilitate more productive communications with the senior IT management and business unit executives in your organization in terms with which they are familiar.

As Professor Gordon so rightly pointed out at the meeting, decisions to invest in security are never made based solely on the results of microeconomic models, but cost-benefit analysis should always be a key input to such decisions.

Post a Comment

Your email is never published nor shared. Required fields are marked *