Talk to a Security Expert Now: (800) 721-9177

ROI, NPV and a few other words about predicting the financial performance of information security projects

Over the course of many years in the information security profession, I have heard claims that the return on investment associated with security projects cannot be calculated. Most often the perspective is that security is a cost center and should be treated as such. I do not have that opinion. The following discussion summarizes Redspin’s work with one of its healthcare customers to calculate return on investment (ROI) and Net Present Value (NPV) in order to justify and manage an information security assessment project. This methodology has been applied with many of our customers in industry segments such as retail, media/entertainment, financial services and technology.
The approach we take is based on protecting data, after all that is a primary goal of information security. Because of this fundamental approach we can use the same methodology for a wide range of projects including internal assessments and web application security assessments. The methodology to calculate ROI and NPV consists of determining the reduced liability associated with identifying and fixing information security issues (thus providing the return side of the equation) and estimating the project costs (supplying the investment information).
In the scenario with our healthcare customer we began with a few questions regarding the characteristics of their security project. For the scope of the assessment project how many data records existed? In this case the assessment spanned two data centers containing a number of databases as well as data records stored in file systems and Microsoft SharePoint. Is the customer subject to regulatory requirements? In this case, yes, the customer was obligated to comply with HIPAA, the HITECH Act, PCI and Sarbanes-Oxley. Next, we asked if a breach occurred would it be high profile (in terms of media and industry visibility) or low profile. Our customer believed a potential breach would be high profile.
The project investment consisted of Redspin costs and customer costs. The Redspin costs included the price of the assessment combined with travel and expense costs. The customer costs were broken down into security and IT staff time to manage the project and staff time to fix the identified issues. These cost estimates were then summed to determine project investment.
The project return is associated with reducing the liability due to a security breach. Our methodology relies on customer surveys performed by Forrester Research to estimate and categorize the cost of a breach per data record. The categories are service availability opportunity cost (customer churn and difficulty in acquiring new customers due to breach), lost employee productivity (employees diverted from primary tasks), regulatory fines (fines imposed by the HITECH Act, FTC, SOX, PCI, etc.), incident response (discovery, notification and response) and increased audit requirements (the security and audit requirements levied as a result of a breach). The cost per record ranges from $10 to $60.
For our customer example we estimated that liability across the five major categories would be reduced in the first year by a total of $3,321,000. The total project investment included a $25,000 Redspin assessment and 18 man weeks of customer staff time for a total investment of $83,000. The project ROI was then calculated as 40.01. The same data was also used to calculate NPV (the present value in today’s dollars of cash flows associated with the project) as $2,573,374.
We have found this methodology to work well across a range of information security projects. It works most effectively when we are working closely with the customer and the customer team includes security, IT and business unit representation.

Leave a Reply

Your email address will not be published. Required fields are marked *