Bruce Schneier says ROI is a big deal in business, but it's a misnomer in security. Make sure your financial calculations are based on good data and sound methodologies.
I agree fully with the article. However, there are issues on the "technology side" of security when calculating ALE. As stated, part of this ALE calculation, is the _probability_ of the event occuring.
Unless you have historical data to reinforce your probability calculations (such as crime stats in your example), determining probabilities are nearly impossible. Nor are there resources to provide probabilities based on your industry. (Different industries face different threats and different probabilities of threats.) Therefore, if "probability" is a significant variable of the ALE calculation and if probabilities-determined are shakey at best, then your ALE calculations will _also_ have integrity issues which will lend itself to scrutiny (and possible loss of credibility for yourself).
I believe information on determining or obtaining "Probabilities" is severely lacking for *SO's. Therefore, ALE can't be adequately-calculated for most of us as a result of this.
While I agree that estimating losses from security breaches of information systems is extremely difficult (if not nearly impossible) and that vendor ROI models are "cooked" to favor the vendor's solution, I disagree that "security can't produce ROI." I admit that my position may appear to be semantic quibbling; but isn't a prevented loss a return and isn't an expense which reduces loss an investment?
What really disappoints me abut this article is that it highlights a problem and offers no advice for dealing with the problem. Even worse, it seems to take the position that the problem has no solution. That strikes me as immensely unprofessional.
The ALE methodology is a tool in the toolkit of the science of management; it is a decision-making aid for situations of relative certainty. In situations of relative uncertainly (which is where Information Security usually finds itself today), different decision-making aids exist (googling “decision making under uncertainty” is a good starting point). Decision making in uncertain situations is part the art of management ("art of leadership" is probably the more accurate term) which falls more into the CEO’s realm. (The science of management is the realm of the COO, CFO, and even the CIO.) While this presents challenges for the CISO in most organizational structures, these challenges should not be insurmountable.
I have two pieces of advice for CISOs: 1) find and learn how to use tools suited for decision making under uncertainty, and 2) make sure that the management team has no doubt that the focus is on the benefit of the enterprise (not on building an INFOSEC empire).
Security ROI: Fact or Fiction?
Bruce Schneier says ROI is a big deal in business, but it's a misnomer in security. Make sure your financial calculations are based on good data and sound methodologies.
» View Article
I agree fully with the article. However, there are issues on the "technology side" of security when calculating ALE. As stated, part of this ALE calculation, is the _probability_ of the event occuring.
Unless you have historical data to reinforce your probability calculations (such as crime stats in your example), determining probabilities are nearly impossible. Nor are there resources to provide probabilities based on your industry. (Different industries face different threats and different probabilities of threats.) Therefore, if "probability" is a significant variable of the ALE calculation and if probabilities-determined are shakey at best, then your ALE calculations will _also_ have integrity issues which will lend itself to scrutiny (and possible loss of credibility for yourself).
I believe information on determining or obtaining "Probabilities" is severely lacking for *SO's. Therefore, ALE can't be adequately-calculated for most of us as a result of this.
While I agree that estimating losses from security breaches of information systems is extremely difficult (if not nearly impossible) and that vendor ROI models are "cooked" to favor the vendor's solution, I disagree that "security can't produce ROI." I admit that my position may appear to be semantic quibbling; but isn't a prevented loss a return and isn't an expense which reduces loss an investment?
What really disappoints me abut this article is that it highlights a problem and offers no advice for dealing with the problem. Even worse, it seems to take the position that the problem has no solution. That strikes me as immensely unprofessional.
The ALE methodology is a tool in the toolkit of the science of management; it is a decision-making aid for situations of relative certainty. In situations of relative uncertainly (which is where Information Security usually finds itself today), different decision-making aids exist (googling “decision making under uncertainty” is a good starting point). Decision making in uncertain situations is part the art of management ("art of leadership" is probably the more accurate term) which falls more into the CEO’s realm. (The science of management is the realm of the COO, CFO, and even the CIO.) While this presents challenges for the CISO in most organizational structures, these challenges should not be insurmountable.
I have two pieces of advice for CISOs: 1) find and learn how to use tools suited for decision making under uncertainty, and 2) make sure that the management team has no doubt that the focus is on the benefit of the enterprise (not on building an INFOSEC empire).
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK