This research paper explores the issues related to defining and quantifying risk and return for capital investments in security solutions for information technology. This work begins by defining some of the most common types of attacks and breaches occurring against commercial and institutional information technology systems. It follows with a discussion of approaches to analyze and estimate the level of financial, legal and reputation risk around IT security events. Finally, the paper concludes by providing guidelines for estimating a budget for IT security initiatives, reporting results and relating the security initiatives to the strategic goals of the organization.

There are several types of common security breaches and events in commercial and institutional IT systems. Defacement of web sites involves the compromise of servers responsible for providing web pages. This breach can be caused from improperly configured web server software or flaws in the software responsible for generating dynamic web pages. Web page defacement is often in response to a corporate or political policy. A denial of service attack does not cause of breach in systems, but floods the resources of the target organization. The result of a denial of service attack is to prevent legitimate users from accessing the target’s network and services. A denial of service attack can occur against the networking infrastructure, web servers, database servers or any other finite resource of the organization. A distributed denial of service attack is a network attack that floods the target organization’s network with packets. Like web page defacement, this attack is often in response to a corporate or political policy. Systemic malware attacks involve the spreading of a virus, worm or other malware throughout the workstation resources of an organization. This type of attack is less likely to be directly targeted at a specific organization. It may occur because of a “zero day” vulnerability in workstation software that has not yet been patched by the vendor or blocked by the security software provider. Corruption of information, theft or accidental release of information has the potential for the most attention and the most liability for an organization. This type of breach may involve the release intellectual property, private information about individuals working for the organization, or customers of the organization.

Several factors contribute to the decision or requirement for publicizing a security breach. If personal information of employees or clients was released, the organization may be legally required to notify the individuals affected by the breach. In the case of a denial of service attack, customers or business partners of the organization may not be able interact with the IT systems as expected. “[…] unless there is some publicly observable consequence such as shutdown of a Web site or litigation, the press may not become aware of a breach. Thus, some breaches with the most potentially severe economic consequences (such as employee initiated breaches that may compromise proprietary information) may not be reported in a timely fashion.” (Campbell, 2003).

There is no established formula and process of determining in advance the amount of risk potential or financial exposure for a security breach. Braithwaite (2002) contrasts the traditional loss estimate model for replacement or recovery of resources with that of today. There is much higher dependence on information technology systems today. In many cases, those systems are the business. The loss from downtime or breach is much larger than the just replacement cost of the physical systems and their corresponding software. It was estimated in 2002 that losses to an online brokerage system could be as high as $6.5 million (US) per hour. A credit-card service bureau could lose as much as $2.5 million per hour. Garg (2003) estimates financial losses to a publicly traded company through decreased trust could be from 0.5 to as much as 1.0% of annual revenues. Based on this simple formula, a company with $1 billion (US) in annual revenues could experience as much as $10 million in loss from a single incident.

The cost of a security-related event is far reaching. Repair of the organization’s reputation, legal responsibilities and hardening of IT systems addresses only the issues at the surface. Garg’s estimate includes the cost of the breach plus the resulting impact to the perception of trust by partners, investors and customers. The additional risk to publicly traded companies is the spillover effect to the company’s stock price and long-term investment outlook. Cavusaglu (2004) estimates that an organization can lose as much as 2.1% of its market value on average within two days of reporting a breach to the public. For example, a company with a market capitalization of $100 billion (US) could lose as much as $2 billion in value within a few days after reporting the theft of customer personal information. This amount does not include follow-on investment in technology and process development to remedy the problem, legal costs and investments to repair damage to the organization’s reputation. “These potential costs include: (1) lost business (both immediate and long term as a consequence of negative reputation effects), (2) activities associated with detecting and correcting the breaches, and (3) potential legal liability.” (Campbell, 2003). Publicly reporting a breach in general is not something that negatively influences the view of the company or institution. There is a significant negative response from consumers, partners and investors when the security event is related to the release of confidential information.

The estimation of risk related to material, legal and market image damage helps scope the problem of determining budget for information security expenditures. There are several areas of investment to reduce security risk. Braithwaite (2002) describes a security investment approach based on a balanced strategy of prevention, detection and response. A recent trend related to prevention and response is the cyber-insurance policy. These policies provide financial relief to an organization following a security breach. Providers of larger policies often require regular security audits by third parties to help establish the level of risk of a future security problem. “According to the 2006 C5I/FBI Computer Crime and Security Survey, 29 percent of U.S. companies say they have external insurance policies to manage cyber security risks, up from 25 percent in 2005.” (Brody, 2007). However, John Pescatore of Gartner states, “[…] the price of the policies is too close to the cost of an actual event. You may be better off just spending the money to avoid an incident.”

In determining a budget for IT security expenditures, it is important to identify and place a value on non-quantifiable assets and processes such as intellectual property and customer data. The executive staff needs to be involved in this process and help adjust and agree on the valuation. The valuation needs to be revisited as the organization changes scope and size. Additionally, it is important to identify and place a value on the company’s reputation from a security and trust standpoint. Braithwaite (2002) recommends two areas for consideration that include the adverse impact of publicized incidents involving the company, and how the organization is judged by its involvement in support of national and industry security concerns. As mentioned earlier, Garg’s (2003) estimate of potential revenue loss to the business can be used as a coarse-grained starting point to gauge financial commitment to IT security initiatives. Brandel (2006) makes several recommendations on how to present and maintain funding levels for an IT security budget. Avoid scare tactics with executives. Use past security incidents as reference points within a business case for funding. Plan the organization’s funding requirements for 12 to 24 months into the future. Avoid repeated tactical requests for each security project as that could give an impression of reactionary versus proactive planning. Explain the investments in terms of the business goals and initiatives versus the technical language of security.

Estimating and reporting the results of security initiatives can be difficult to articulate. Benefits from security expenditures are indirect. There are no revenue streams from installing firewalls, compartmentalizing network segments or auditing workstations for compliance to IT policies. Brandel (2006) claims, “Investing in security rarely yields a return on investment, so promising [a] ROl will sound ill-informed to a senior executive. […]It’s possible to discuss other benefits of security spending, such as protecting the company’s ability to generate revenue, keep market share or retain its reputation.” Reporting on benefits from past security investments maintains the attention of executive sponsorship. Consider developing metrics using measurements like attacks stopped at the firewalls, viruses scrubbed from inbound emails, the ratio of an outbreak of malware on the Internet compared to the corporate Intranet. Choose metrics carefully and be sure they reflect the business’ goals and language. Investing in and reporting on IT security does not need to be solely focused on preventing exploits, spread of malware or unintended release of confidential information. It can also include high-availability of IT systems, reliability of communications and ensuring integrity of critical business information for ongoing operations. According to Drugescu (2006) metrics must measure organizationally meaningful things, be reproducible and consistent, be objective and unbiased, and measure some type of progression toward the identified strategic goal.

This paper analyzed the issues, recent opinions and research related to estimating and quantifying risk and return for IT security solutions. The most common types of security attacks and breaches against commercial and institutional information technology systems were described. A discussion of approaches to analyze and estimate the level of financial, legal and reputation risk around IT security events was provided. This paper provided guidelines for estimating a budget for IT security initiatives, and recommended regular reporting of security metrics and relating those metrics to the business goals of the organization. Day-to-day industry is becoming more dependent on information technology. As each year passes, the transformation of worldwide business to a platform of high-speed connectivity, data storage and Internet service exchanges expands the need to accurately quantify risk from downtime and loss. It is vital to gauge the level of investment in security prevention, detection and response for an organization’s survival in the online, interconnected world.

References

Brandel, M. (2006). Avoid spending fatigue. Computerworld. April 17, 2006. Pg. 34.

Braithwaite, T. (2002). Executives need to know: The arguments to include in a benefits justification for increased cyber security spending. Security Management Practices. September/October 2002. Pg. 35.

Brody, D. (2007). Full coverage: how to hedge your cyber risk. Inc. Magazine. April 2007. Pg. 47.

Campbell, K., Gordon, L. A., Loeb, M. P., Zhou, L. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security. 11 (2003) 431–448.

Cavusoglu, H., Mishra, B., Raghunathan, S. (2004). A model for evaluating IT security investments. Communications of the ACM. July 2004/Vol. 47, No. 7.

Drugescu, C., Etges, R. (2006). Maximizing the return on investment of information security programs: program governance and metrics. Information Systems Security. December 2006. Pg. 30.

Garg, A., Curtis, J., Halper, H. (2003). The financial impact of IT security breaches: What do investors think? Information Systems Security. March/April 2003. Pg. 22.

Roberds, W., Schreft, S. L. (2009). Data security, privacy, and identity theft: the economics behind the policy debates. Federal Reserve Bank of Chicago. 1Q/2009, Economic Perspectives. Pg. 22.