Risk Analysis Versus ROI: Communicating the Value of Security Without Hidden Asterisks
When things go wrong with computer systems and networks, whether due to ordinary mishaps or malicious actors, the organizations that rely on those systems and networks are put at risk. They may suffer direct financial losses, reputational damage or both, with effects ranging from inconvenience to total loss and liquidation of the enterprise.
Understanding these hazards and their consequences is what risk analysis is all about. It may seem obvious, but too many organizations — and even security professionals — have lost sight of the importance of risk management. They are often so focused on efforts to describe security expenditures in terms of return on investment (ROI) that they fail to adequately account for risks. Security ROI computations tend to be meaningless without the proper context of a risk analysis.
The Challenges of Risk Analysis
In most cases, according to Errata Security, organizations “don’t have a sophisticated enough risk matrix in order to plug in some ROI numbers to reduce cost/risk.” Instead, the risk assessment numbers on which an ROI computation is supposedly based are often generated by outside vendors or security engineers with little basis in reality.
This challenge is particularly great because security risks are moving targets driven by malicious actors. In industries such as energy and utilities, risk analysis is relatively straightforward because the threats come almost entirely from accidental mishaps. These risks can be assessed and computed based on engineering experience.
In contrast, security risks depend on technological considerations, such as potential points of vulnerability, as well as the “whims and fads of the hacker community,” according to Errata Security. Because the technology is rapidly evolving and the ecosystem is deeply layered, risk assessment needs to consider not only vulnerabilities that exist now, but also new ones that may develop in the future.
The Architecture of Security
For these interrelated reasons, trying to encapsulate security spending needs in terms of ROI is an artificial exercise. The presentation may sound crisp and businesslike, but it is so full of hidden asterisks that it is essentially meaningless.
So what should guide security professionals and business leaders to help them determine the right level of spending on cybersecurity? Errata recommended thinking about security engineering as analogous to architecture — not computer architecture, but the concrete and steel kind. When designers plan a building, they know they will need to provide a certain number of bathrooms to accommodate the building’s users, a calculation that requires no ROI computation.
Security is not an obscure mystery. We know the basic things we need to do to protect our systems and networks against cyberthreats, and we know how to mitigate the effects of damaging attacks. We need to take action, not seek assurance from fanciful ROI computations.