Monday, July 16, 2007

Security ROI Pile-Up!

So, another day, another security ROI fight. Let's first review what was said so far.

Richard said: "Digital security is not a line of business. No one practices security to make money. Security is not a productive endeavor; security risk is essentially a tax instantiated by the evil capabilities and intentions of threats. Because security is not a line of business, the performance incentives are not the same as a line of business. Security has no ROI; proper business initiatives do. Only security vendors make money from security." (in the past, he also said this: "There is no ROSI (return on security investment). There is simply cost avoidance. Due care is a concept I am more likely to embrace.") And also: "It's important to remember that there is no return on security investment. Security is a cost center that exists to prevent or reduce loss. It is not financially correct to believe you are "earning" a "return" by spending time and money to avoid a loss."

Ken countered: "My friend in the financial risk department read Richard’s statement that “Security does not have an ROI” and he laughed. He commented, “Just let some hackers change some numbers in a banks financial system and you’ll see that security has ROI.” That’s a finance guy talking, not an InfoSec guy."

David countered the above with: "It happens that I do agree that security can have an ROI, but the scenario given is not an example of that. It's an example of loss prevention and, to a certain extent, business enablement (to enable the bank to survive, which it really wouldn't if any Joe could log in and change account balances at will)."

Seeing all this stuff, Richard closed with: "The problem the "return on security investment" (ROSI) crowd has is they equate savings with return. The key principle to understand is that wealth preservation (saving) is not the same as wealth creation (return)."

However, before jumping in the fray, I figured I'd accost the economics talent I have available right in the comfort of my home :-) In the past, most of my stories of what some security folks think about computing ROI caused her to go into fits of unrestrained laughter...

First, unlike Wikipedia in the past, Britannica doesn't even have an entry for "return on investment" (and now, neither does Wikipedia - the links point to an entry about "rate of return". Along the same lines, "Principles of Corporate Finance" by Richard A Brealey, Stewart C Myers only mentions "book ROI" (in Chapter 12) as a very specific, narrowly-used term, which has little to do with this discussion. Rate of return, however, is mentioned as a performance measure of a business.

So, let's see whether you can compute (and thus "have") a rate of return on buying a security product. Sorry, the economics answer will be a solid "no." And, in fact, Richard's explanation fully passes the "test by an economics Ph.D." - indeed, security products save money, not earn money (obvious exception: security vendors) and thus there is no "return." The phrase "return in the form of savings," that I saw on some blog, caused my "in-house economist" to utter a completely unprintable word and then follow up with: "what an idiot! it is either return or savings!"

To take this further, when use of a security product is mandated by a law, all these "return rants" should stop: in this case, it becomes "sunk cost" (like license to do business, patents, etc which are never featured in return calculations).

Moreover, one cannot compute a "rate of return" on something that will not be making money on its own. For example, a stock or bond sitting in your safe has a "rate of return," while your "investment" in a chair that enables you to work on your computer does not, even though it enables you to work.

Thus, here goes the SiteKey example? Any "rate of return" calculations here? Sorry, still "no". The reason is that providing security tokens for site access is not making money on it own, but only when combined with bank's core business i.e. banking. Imagine this bank will stop banking services and will just try to "sell SiteKey to access its web site," can they earn a return then? If "no", then the answer to the original question is still "no." "Enablement" is still not earning, at least, not in the economics/finance.

At the same time, I think this debate will be resolved thus: there is rate of return (definition from economics) and there is "ROI/rate of return" (hijacked definition that developed its own life and started to mean simply "usefulness" or "value proposition") There is "ROI" of security and there is no ROI of security...

Related posts:

    Dr Anton Chuvakin