Monday, July 16, 2007

Security ROI Pile-Up!

So, another day, another security ROI fight. Let's first review what was said so far.

Richard said: "Digital security is not a line of business. No one practices security to make money. Security is not a productive endeavor; security risk is essentially a tax instantiated by the evil capabilities and intentions of threats. Because security is not a line of business, the performance incentives are not the same as a line of business. Security has no ROI; proper business initiatives do. Only security vendors make money from security." (in the past, he also said this: "There is no ROSI (return on security investment). There is simply cost avoidance. Due care is a concept I am more likely to embrace.") And also: "It's important to remember that there is no return on security investment. Security is a cost center that exists to prevent or reduce loss. It is not financially correct to believe you are "earning" a "return" by spending time and money to avoid a loss."

Ken countered: "My friend in the financial risk department read Richard’s statement that “Security does not have an ROI” and he laughed. He commented, “Just let some hackers change some numbers in a banks financial system and you’ll see that security has ROI.” That’s a finance guy talking, not an InfoSec guy."

David countered the above with: "It happens that I do agree that security can have an ROI, but the scenario given is not an example of that. It's an example of loss prevention and, to a certain extent, business enablement (to enable the bank to survive, which it really wouldn't if any Joe could log in and change account balances at will)."

Seeing all this stuff, Richard closed with: "The problem the "return on security investment" (ROSI) crowd has is they equate savings with return. The key principle to understand is that wealth preservation (saving) is not the same as wealth creation (return)."

However, before jumping in the fray, I figured I'd accost the economics talent I have available right in the comfort of my home :-) In the past, most of my stories of what some security folks think about computing ROI caused her to go into fits of unrestrained laughter...

First, unlike Wikipedia in the past, Britannica doesn't even have an entry for "return on investment" (and now, neither does Wikipedia - the links point to an entry about "rate of return". Along the same lines, "Principles of Corporate Finance" by Richard A Brealey, Stewart C Myers only mentions "book ROI" (in Chapter 12) as a very specific, narrowly-used term, which has little to do with this discussion. Rate of return, however, is mentioned as a performance measure of a business.

So, let's see whether you can compute (and thus "have") a rate of return on buying a security product. Sorry, the economics answer will be a solid "no." And, in fact, Richard's explanation fully passes the "test by an economics Ph.D." - indeed, security products save money, not earn money (obvious exception: security vendors) and thus there is no "return." The phrase "return in the form of savings," that I saw on some blog, caused my "in-house economist" to utter a completely unprintable word and then follow up with: "what an idiot! it is either return or savings!"

To take this further, when use of a security product is mandated by a law, all these "return rants" should stop: in this case, it becomes "sunk cost" (like license to do business, patents, etc which are never featured in return calculations).

Moreover, one cannot compute a "rate of return" on something that will not be making money on its own. For example, a stock or bond sitting in your safe has a "rate of return," while your "investment" in a chair that enables you to work on your computer does not, even though it enables you to work.

Thus, here goes the SiteKey example? Any "rate of return" calculations here? Sorry, still "no". The reason is that providing security tokens for site access is not making money on it own, but only when combined with bank's core business i.e. banking. Imagine this bank will stop banking services and will just try to "sell SiteKey to access its web site," can they earn a return then? If "no", then the answer to the original question is still "no." "Enablement" is still not earning, at least, not in the economics/finance.

At the same time, I think this debate will be resolved thus: there is rate of return (definition from economics) and there is "ROI/rate of return" (hijacked definition that developed its own life and started to mean simply "usefulness" or "value proposition") There is "ROI" of security and there is no ROI of security...

Related posts:


    Gustavo Araujo Bittencourt said...

    Great post. I would like to point that calculate the savings in a security project is difficult and often very inaccurate.

    Nick Owen said...

    This is a great post. It is much clearer than my first blog post was called "Why ROI is a crappy measure for Information Security". Although it was really about why ROI is a bad measure in general.

    One way to effectively separate out different security investments possibilities and to create scenarios from them. I did a simple comparison of a vpn with and without two-factor authentication. The savings comes from the overall project, then I subtract and AALE from the savings. You could do different scenarios to see which security investment was optimal.

    Estimating AALE might be problematic, but the exercise would still be beneficial.

    Keep up the fight :)

    Richard Bejtlich said...

    Anton, thanks a lot for this post!

    Unknown said...

    So, there is no ROI on security. But there is something that feels a lot like "ROI" because you're avoiding losses in the future, which looks kinda like a + and not a -, so that must be some sort of return?

    Glass half full or half empty?

    Thanks for the post, I agree with the things you said above, in a few cases, almost word for word in my non-PhD-ness. :)

    (And then I glance down at the captcha below, type two letters, stare at it a moment, and realize I can't make bloody sense out of what letters are there! I fail!)

    Anonymous said...

    Dr. Lawrence Gordon said the matter is more complicated and the InfoSec ROI is possible although there are problems with it.


    JRHelgeson said...

    The problem with using ROI metrics with security is that security management is all about spending good money to have nothing happen.

    Anton Chuvakin said...

    >spending good money to have nothing

    Well, honestly, in the ROI mess this is the least of people's worries.

    "Paying for nothing" applies to insurance and many other situations.

    Anonymous said...

    I believe the mistake being made here is to confuse the model with the title. The name "Return on Investment" may confuse some people into thinking that the model predicts a return on investment.

    It does not. It generates a result that can be used in comparison to other results calculated in the same way. The value of this is that it helps the people who understand the model (finance people, mostly) choose between competing projects for the same resources.

    Another way of thinking about it is that "investment" is simply a negative number for a security NPV calculation. NPV doesn't care what the accountants do later on the balance sheet, nor what the shareholders do when the company tanks.

    BTW, finance textbooks like Brearley & Myers probably talk about NPV not ROI because NPV is capable of working with time. It's just a bit more maths, it doesn't change the overall discussion. Real finance people don't do ROI.

    Dr Anton Chuvakin