The relationship between the Risk Assessment and the Return On Investment for good security is very important to management because it creates a business case for further investment and “appropriate investment” in the IT security program. Return On Investment is that ratio that tells you if you invest so much, you’ll get so much back in return.
IT security directors should also be interested in Return On Investment because it has the side benefit of cost justifying the security budget and making sure you get the controls you need to support your infrastructure.
Cost justification based on the results of the risk assessment is a requirement for financial institutions and the healthcare industry — especially with the FFIEC and the DHS’ HIPAA requirement. For example, for banks, the FFIEC Examiner’s Handbook for IT Security says, “A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls.”
The selection of the appropriate security controls for an organization is based on several factors:
1. The percent of the control that is currently in place.
2. The cost of increasing the implementation of the control to 100%.
3. The cost of maintaining and auditing the control over time.
Again, the idea of the Return on Investment is that the most needed controls are funded by the organization first, so that money is not applied to less critical areas, leaving the very sensitive areas, like protection of customer information, exposed. The main components of calculating a Return On Investment are the value of the assets, and that includes not only the replacement value, but also the sensitivity and confidentiality of the information — especially the potential loss to the asset of an incident. For example, the reputation cost of a high profile identity theft could be devastating to a bank or credit union.
To estimate asset value, the confidentiality, integrity and availability (CIA) are values that have to be included in the risk assessment because these can all cause a devastating loss to a organization. Adding identify theft to the already long list of other threats (which also have to be factored into the ROI equation), has been addressed by the FDIC and NCUA with the new Red Flag (FACT) CFR (Federal Registry).
Take a look at the controls your organization is planning to add to your IT infrastructure and see if they pass the ROI test.
Caroline R. Hamilton is the Founder of RiskWatch, Inc., the original top-rated risk assessment software. Hamilton served on the NIST Model-Builder’s Workshop on Risk Management from 1988-1995 and on the National Security Agency’s Network Rating Workshop. In addition, she was a member of the U.S. Department of Defense’s Defensive Information Warfare Risk Management Model and has worked on a variety of risk assessment and risk management groups, including the ASIS Information Technology Security Council and the IBM Data Governance Council, created by Steven Adler. Hamilton also received the Maritime Security Council’s Distinguished Service Award and has written for a variety of books and magazines including the CSI Alert, the Computer Security Journal, the ISSA Newsletter, The HIPAA Compliance Handbook, Defense News, Security & Design, Cargo Security and many other publications. Based in Annapolis, Maryland, Hamilton is a graduate of the University of California.