1 / 42

Return on Security Investment (ROSI)

Return on Security Investment (ROSI). Calculated or Postulated, is it Really Required?. WHY? HOW TO PLAN. HOW TO CALCULATE. EXTEDED ROSI. ROSI. WHY? HOW TO PLAN. HOW TO CALCULATE. EXTEDED ROSI. ROSI. Why ROSI?. Ernst & Young. Why ROSI?. Ernst & Young. Why ROSI?. Ernst & Young.

arnold
Download Presentation

Return on Security Investment (ROSI)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Return on Security Investment(ROSI) Calculated or Postulated, is it Really Required?

  2. WHY? HOW TO PLAN. HOW TO CALCULATE. EXTEDED ROSI. ROSI

  3. WHY? HOW TO PLAN. HOW TO CALCULATE. EXTEDED ROSI. ROSI

  4. Why ROSI? Ernst & Young

  5. Why ROSI? Ernst & Young

  6. Why ROSI? Ernst & Young

  7. Why ROSI? Ernst & Young

  8. Why ROSI? Ernst & Young

  9. Why ROSI? Ernst & Young

  10. Why ROSI? Ernst & Young

  11. Why ROSI? Fear, Uncertainty and Doubt Ernst & Young

  12. WHY? HOW TO PLAN. HOW TO CALCULATE. EXTEDED ROSI. ROSI

  13. How to plan? ICCT Corp

  14. How to plan? ICCT Corp

  15. How to plan? ICCT Corp

  16. How to plan? ICCT Corp

  17. How to plan? ICCT Corp

  18. How to plan? ICCT Corp

  19. How to plan? ICCT Corp

  20. How to plan? ICCT Corp

  21. How to plan? ICCT Corp

  22. How to plan? ICCT Corp

  23. How to plan? ICCT Corp

  24. How to plan? ICCT Corp

  25. How to plan? ICCT Corp

  26. WHY? HOW TO PLAN. HOW TO CALCULATE. EXTEDED ROSI. ROSI

  27. How to Calculate ROSI Rethink Your Assumptions: Coming up with some kind of ROSI proposition will be tricky. Realize that your goal is to come up with a reasonably accurate estimate, not a precise value. For example, you won't be able to say "This will save us $362,422," but you might be able to say with reasonable accuracy that the investment has a 2 to 1 return Do the Legwork: Risk mitigation has been called educated guesswork. The more educated you are, the more accurate your guesses will be. Gather any data you can on the costs of security breaches and security-related system breakdowns - both internally and through industry aggregate data CSO magazine

  28. How to Calculate ROSI Do the Math: Analyze all your data. Based on available data, what will be the impact of a specific technology or action upon the risk of a security breach occurring? In other words, how will the investment modify the Annual Loss Expectancy? The final calculation looks like this So the ALE of a security breach that costs $1 million and has a 40 percent chance of happening is: Incident cost X Probability of incident = ALE $1,000,000 X 0.4 = $400,000 MODIFIED ALE. mALE is the same equation, but with the probability affected by mitigation measures you take. Imagine the above scenario were a virus attack. You introduce antivirus software that cuts in half the probability of a successful attack, to 20 percent. Probability X Mitigation = Modified probability 0.4 X 0.5 = 0.2 Incident cost X Modified probability = mALE$1,000,000 X 0.2 = $200,000 CSO magazine

  29. How to Calculate ROSI ALE - mALE = Savings$400,000 - $200,000 = $200,000 Now, to get a basic return, you simply subtract the cost to implement each mitigation measure from your savings on your mALE by implementing the mitigation. Savings - Mitigation cost = ROSI$200,000 - $120,000 = $80,000 CSO magazine

  30. WHY? HOW TO PLAN. HOW TO CALCULATE. EXTEDED ROSI. ROSI

  31. Extended ROSI Metrics The most appropriate metrics are a function of both the business process under analysis and one or more specific business objectives. Quantifying the answers to these questions is the key to unlocking the financial returns made possible thru Security -enabled applications. PKI Forum

  32. Extended ROSI PKI Forum

  33. Extended ROSI PKI Forum

  34. Extended ROSI PKI Forum

  35. Extended ROSI Quantifiable financial returns made possible by Security-enabled applications tend to fall into one of the following four high-level categories: Revenues, Costs, Compliance, and Risks. PKI Forum

  36. Extended ROSI Revenues Business processes that generate new or increased revenue streams create perhaps the most compelling justifications for investments in enabling infrastructure such as PKI. Because revenue enhancements are generally more strategic than tactical in nature, however, they can also be somewhat more difficult to quantify. PKI Forum

  37. Extended ROSI Costs Reductions in cost are perhaps the most reliable drivers of financial returns for security enabled applications – that is, although cost reductions are generally more tactical than strategic in nature, they are also generally the easiest returns to quantify (hence their popularity). Cost-based financial returns are typically expressed as some combination of the following: • Cost Savings: e.g., the new or improved business process is less expensive; we can spend fewer dollars than we did before. • Cost Avoidance: e.g., the new or improved business process scales to higher levels; we can avoid spending as many additional dollars in support of new capabilities or expanded scale. • Efficiency: e.g., the new or improved business process saves time; we can increase the velocity at which we conduct e-business. • Effectiveness: e.g., the new or improved business process increases productivity; we can do more or different things with the resources we already have. PKI Forum

  38. Extended ROSI Costs cont. An area ripe for harvesting cost-based financial returns has to do with the cost of processing paper forms, documents and business records. This is most relevant in document-intensive industries such as financial services, insurance, and healthcare, where enormous financial returns are possible from cost reductions in the “Four Ps” of paper, printing, postage, and processing. PKI Forum

  39. Extended ROSI Compliance By compliance, we mean some business process that we are required to implement, or some e-security requirement that we are obligated to meet. As it relates to e-security infrastructure, compliance-based arguments tend to come from one of the following four categories: • Regulatory compliance: where failure to implement could mean fines, loss of revenues, jail terms, etc., e.g. • Partner compliance: where failure to implement could mean losing our ability to participate with a key partner or group of partners, e.g., a segment of the financial industry moving to the Identrus model for cross-certification. • Customer compliance: where failure to implement could mean the loss of a business relationship with a key account, e.g., “all Y suppliers who wish to have their contracts renewed must implement technology X by a certain date”. • Competitive compliance: where failure to implement could mean the loss of competitive advantage and likely revenue loss. PKI Forum

  40. Extended ROSI Risks Until only recently, risk-based arguments were probably the most frequently used approach to justify investments in e-security infrastructure. Selling security through fear can be reasonably effective, up to a point but it also tends to marginalize e-security as an operating expense, subject to being trimmed at the first round of budget cuts. Risk is an inescapable fact of e-business, and there are only four things we can do about it: accept it; ignore it (which is the same as accepting it); assign it to someone else; or mitigate it. Investments in e-security infrastructure that are made with prevention in mind are usually not highly visible (unless there’s a problem), which tends to make risk-based justifications the least glamorous of the four categories in our model. PKI Forum

  41. Extended ROSI Financial Returns: Summary The most important points for developing meaningful financial returns for Security-enabled applications are to focus on the business process, establish appropriate metrics, and look for all relevant returns in the following high-level categories: Revenues, Costs, Compliance, and Risks. PKI Forum

  42. THANK YOU !

More Related