Break-even analysis: The highs and lows of risk and ROSI

What's a dollar spent on security worth in terms of risk? Break-even analysis helps you decide.

This article can also be found in the Premium Editorial Download: Information Security magazine: Virtualization security dynamics get old, changes ahead:

Pete LindstromIn my first column I issued a call to action to help technology risk management professionals make good decisions through the application of economic techniques. While that might seem like a tall order, you're already making those decisions. What you thought were random qualitative choices about running a security program actually reveal a lot about your risk expectations.

It's impossible to measure technology-related risk, or that's the commonly held belief. The reason: the challenge of determining both the likelihood of bad things happening and the financial amount that could be lost. It can be very complex (mind-boggling, really) if you attempt to think through all of the details.

But those "revealed preferences" (versus stated) are hard at work tattling on you by providing a baseline amount to work with. At the very least, every resource allocation decision involves justification; usually, just deciding to do the "most important" thing on your list, because "it's worth it."

Break-even analysis pointers

Therefore, we need to understand what "worth it" actually means in a decision to allocate resources. In a broad sense, it means that you believe every dollar you spend on security will reduce risk by at least that dollar. So a decision to spend $100,000 on a security solution is only made when you believe it will save $100,000 in reduced risk. That amount becomes your break-even point.

If you spend one dollar on security to reduce risk by two dollars, your ROSI is 100% for the time period that's being addressed: ($2-$1)/$1 =100%.

If you've never thought of resource allocation decisions in this way, I assure you, this is what you're stating to the world. And strangely, because we are dealing with historical decisions made over (possibly) many years, the decisions also incorporate all that shelf-ware and wasted time that you know exists as demonstrated by your continued willingness to allocate resources.

In economics, this revealed "willingness-to-pay" is one of the stronger measures of value. Even better, because we are using spending as a placeholder for the minimum amount of risk being reduced, and we know that risk is the product of the probability and impact of some negative outcome, we can plot a line on a risk matrix using the security spending amount as the slope. So, for example, a $100,000 investment to reduce risk by at least that amount can be plotted at points {100%, $100,000} through {1%, $10,000,000}, and on either side of the points for higher or lower frequencies. I call this the "Control Horizon."

Seeing this line on a graph (risk matrix) can provide a whole new level of insight into the beliefs of the enterprise when it comes to estimating risk. If the perceived amount of risk that's being addressed is below that line, the enterprise is essentially operating "underwater" and should consider alternative ways to address its issues.

ROSI outlook on risk

Hopefully (and usually), the amount of risk that's being addressed is reduced by more than the amount being spent. And this, my friends, is where we get "Return on Security Investment" (ROSI). ROSI is conceptually simple to understand. If you spend one dollar on security to reduce risk by two dollars, your ROSI is 100% for the time period that's being addressed: ($2-$1)/$1=100%.

As you make ongoing daily decisions to allocate resources for your security program, remember that all of those decisions provide insight into your notion of your minimum valuation of risk that's being addressed. Of course, nobody wants to break even when it comes to spending on risk reduction -- that's not really the point. My next column will take a whack at measuring risk so that you can see it through ROSI-colored glasses.

Peter Lindstrom is principal and vice president of research for Spire Security. He has held similar positions at Burton Group and Hurwitz Group. Lindstrom has also worked as a security architect for Wyeth Pharmaceuticals, and as an IT auditor for Coopers and Lybrand and GMAC Mortgage. Contact him via email at PeteLind@spiresecurity.com, on Twitter @SpireSecor on his website, www.spiresecurity.com.

This was first published in November 2013

Dig deeper on Enterprise Risk Management: Metrics and Assessments

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close