I wrote this paper twenty years ago for one of my Information Assurance classes at the University of Dallas. Some years ago the program was rebranded Cybersecurity, sadly, but that’s a topic for another post. I think it holds up. Oh, and after twenty years most of these links were 404s, but I fixed the links with the web archive version. A few were dead and not in the archives so I left them unlinked.
June 30, 2005
Executive Summary
In an increasingly interconnected and online business environment, globalization is a reality within the network of any enterprise connected to the Internet. Ensuring the security of information has become an increasingly more important, more difficult, and more costly pursuit. Despite the tide of that trifecta, spending for security continues to lag far behind spending as a percentage of the overall IT budget. Over three-fourths (76%) of respondents to the 2004 CSI/FBI Computer and Security Survey report spending five percent or less of their IT budgets on security. (See Fig. 1).[1]
Respondents to the survey reported losses of over $141 million and while down from the losses reported in the 2003 survey, this is likely the result of fewer firms choosing to report incidents to law enforcement.[2] Virus infection and Denial of Service are now the leading sources of loss among respondents. (See Fig. 2).[3] Managers are under increasing pressure to simultaneously limit losses due to security events and justify the costs of their efforts to top management.
Any security effort must be lead by the top managers in an enterprise. Anything less leads to a chain reaction down the chain of command resulting in complacency, which can quickly make conditions right for negligence. Security must also be in harmony with the mission of the enterprise, else it will be in conflict with it. Executives will be unable to lead if they do not understand security; therefore communication from and with security managers is There are many methods available to justify the costs of information security, with most organizations preferring Return on Investment (ROI), Internal Rate of Return (IRR), and Net Present Value (NPV), respectively.[4] However, the costs are difficult to calculate accurately due to the dearth of data, the irrelevance of historical information, and the unpredictability of the future. The result has led to many top managers being sold security based on fear, uncertainty, and doubt (FUD).[5] Commenting on the unreliability of existing cost data, security expert Bruce Schneier said, “It’s crap data, but it’s the best we have.”[6]
Prolific author and cybercrime expert Donn B. Parker believes information security continues to be an “under-funded folk art”[7] due to endless risk assessments done with the goal of reducing risk. Parker believes this objective should be replaced with due diligence.[8] Security must be acceptable to those in the enterprise who come in contact with it and that it should never “advance . . . beyond the level of acceptance of stakeholders.”[9]
Good security is comprised of primarily people and processes[10] over infrastructure, architecture, hardware, and software. It is also expensive. People must be properly led, motivated, and empowered to implement and practice sound security processes. These processes take the form of policy, controls, and ongoing security awareness. Security is involved, wide-ranging, and far-reaching, but should not be so complex as to neglect the simple best practices. Every enterprise should establish best practices and standards of due care in order to promote an environment where further, potentially more expensive controls are justifiable.
From the Top Down: Management Support
Security will be difficult to justify, implement, and practice without executive level support; it may even prove utterly worthless. Executives must set the tone for the rest of the enterprise. One example of how an executive’s actions can rub off is with employee identification badges. A CEO without a picture badge means vice-presidents without picture badges, and this behavior soon descends through the rest of the organization.[11] A visible commitment to security is necessary.[12]
To justify the cost of information security as mission-critical, security must be critical to the mission of the enterprise. This means security must be central to the goals established by those at the top. In many organizations, this necessitates an introductory security awareness program for senior managers. For better or worse, some managers may not budget for security awareness if they are unaware themselves. Still other managers may not completely buy-in to a robust security infrastructure due to the embarrassment of their own naivety.
A security manager must be able to liaise between departments and between different levels of the enterprise. Communication builds relationships, fosters trust, and expands learning. It begins by asking and flourishes through listening. Basic security awareness might even begin by destroying perceptions that security interferes with productivity and that security technologists may be necessary, but that they make everyone’s job more difficult. By communicating effectively, security managers will be able to better understand the goals of the enterprise and executives will better understand the necessity of security.
Seeking a Middle Ground: Relevance & Objectivity
Executives are likely going to want solid numbers to justify the high cost of security. Numbers exist, but how solid those numbers are depends wholly on their relevance and objectivity. Numerous models exist to put numbers to the costs. The first of these is the Annual Loss Expectancy (ALE) of risk, which is simply the cost of an incident multiplied by its probability of occurrence.[13] Thus, the formula is expressed as:
Annual Loss Expectancy = Cost x Probability
In a hypothetical example, assume that the cost of lost data is $10,000 and the probability of occurrence is 25%. The ALE for this risk is $2,500.
A second model is Return on Investment (ROI), which can be used to calculate the value of a security (or any) investment with respect to its cost. The formula is expressed as:
Return On Investment = [(Change In Revenue) + (Cost Savings)] / (Investment)[14]
However, as security scientist Bob Blakley says, “No one knows how likely you are to be exposed to a particular kind of security-related loss within a particular time period.”[15] The only known quantity with respect to security in the above formula is the cost of the investment.
Internal Rate of Return (IRR) is a third model. IRR is defined as “the discount rate that results in a net present value of zero for a series of future cash flows.”[16] This basically means that a value is provided by which to make decisions. A positive value means the investment is likely to have a positive result and a negative value, a negative result.[17]
Investments must consider the time value of money and this is why Net Present Value (NPV) is another model used in decision-making. Net Present Value, “accounts for the time value of money by expressing future cash flows in terms of their value today.”[18] This allows the future value of money to be determined in a particular year based on a rate of return. A discount factor is multiplied by the present value to determine the value in the given year. The formula for this discount factor is:
Discount factor = 1/(1+i)n
An example of this is if a 10% rate is expected in one year, the discount factor is 1/(1.1), or .909. This means $1.10 a year from now is worth $1 today ($1.10 x .909 = $1).[19] Worstell, Gerdes, and Kabay give a more acceptable view of NPV for information security in their article “The Net Present Value of Information Security.”[20] They state:
The net present value (NPV) of information security is the value that is created when barriers to ebusiness are removed through mechanisms that ensure business integrity, service availability and customer/consumer confidence and privacy.
In their view, “effective information security can serve to increase business and profits, not merely to reduce risk.”[21]
The System Quality Requirements Engineering (SQUARE) Team at Carnegie Mellon University has produced a Cost/Benefit Analysis Framework to provide “acceptable estimations for small companies in their information security improvement projects.”[22] Table 1 in the appendix cites the framework’s terms and concepts, which are used in estimating the cost of risk and the benefits of mitigation.
What makes accounting for the costs of security so difficult is the fact that most of the numbers used in the models discussed above are phantoms. Worse, the data that we do have is all in the past and therefore is not relevant. Relevant information is defined as “the predicted future costs and revenues that will differ from among alternative courses of action.”[23] While predicted future data is relevant, it is subject to conditions beyond our control and thereby not as useful as promised in legitimately justifying the cost of security endeavors to management.
Management accountants are likely to be involved in assisting managers in decision-making. Management accountants are bound by a code of conduct called the Standards of Ethical Conduct for Practitioners of Management Accounting and Financial Management. The codes include competence, confidentiality, integrity, and objectivity.[24] The standard of competence requires management accountants to “[p]repare complete and clear reports and recommendations after appropriate analysis of relevant and reliable information.”[25] A management accountant should not prepare a report on the cost of information security that is based on spurious information.
Whither information security? Cost-benefit analyses and risk assessments are worthwhile pursuits, but only if they do not detract from the mission of best practices and standards of due care. Ironically enough, in such a scenario the costs of performing the cost-benefit analysis actually outweigh the benefits of doing so. Donn Parker states that risk assessment, “involves trying to estimate the future misbehavior of unknown people, using unknown methods with unpredictable motives, against unknown targets that may cause unknown losses.”[26] Different threats to the same assets can also have different values[27] and we can never be sure what valuations the bad guys make on our information.[28]
Security managers should be equipped to justify the costs of security based on standards of due care and best practices. Due care, “is achieved when a security control or practice is used, or acknowledged as preferred for use, when it is readily available at a reasonable cost or is in regular use by many organizations that take prudent care to protect their information under similar circumstances.”[29] Best practices controls “are the well-implemented baseline safeguards that meet the due care requirements among representative organizations . . . that are advanced in the protection of their information.”[30]
Security managers must be objective in dealing with top managers because there may be only one chance to get it right for skeptical executives wary of spending more critical resources on something that may be distasteful to them in the first place.[31] Top managers must understand that security is an expensive, necessary cost and not a potentially lucrative investment. In a recent speech to a meeting of the University of Dallas Information Assurance Student and Alumni Association, Donn Parker stated emphatically that security is a cost of doing business and that managers should end the practice of using risk assessments trying to find profit or ROI in security.[32]
Ultimately, all costs can be managed; this is what separates good managers from poor managers. However, before costs can be managed, they must be objectively understood to be what they are – costs. The real threat isn’t merely found in the cost of risk, a potential loss, or even a security control, but rather in the liabilities that will certainly arise if due care is not taken and those involved are found to have been negligent by a court of law.
From the Bottom Up: Building a Sound Foundation
Football coach Andrew Coverdale wrote that, “[p]ass protection is by far the single most important factor influencing the success you can achieve throwing the football.”[33] If protecting the quarterback is mission number one in football strategy, then it makes no sense to view securing the information of business any differently. Security managers should build up from solid foundations rather than trying to hard sell the big, expensive solutions. They should sell the best practices and the consistent application of the security process.
Former U.S. Navy SEAL Richard Marcinko formed a group called Red Cell to test the security of Naval installations.[34] One lesson drawn from their many successful penetrations was that showy front door security is worthless when the back gate is unattended and secured only with a lock and chain that can be removed and replaced with your own.[35] The point is that the bad guys control the threats and they do not play by the rules, they do not fight fair, and they do not abide by standards. Just as a security control should never be implemented if it costs more than the asset it is protecting[36], controls that do not protect the most obvious points of entry are waste of resources. Security controls do not have to be expensive to be effective. Many simple and inexpensive controls can overlap and be just as effective as fewer, more expensive ones.[37]
Security managers should also sell the value of people. Highly motivated and well-trained people are critical to a security infrastructure. This includes not only the security staff, but also the end users of security throughout the enterprise. Donn Parker believes that security should be included in job performance reviews to motivate every employee to place security within their self-interest.[38] He calls this, “the mother of all security controls.”[39] In addition to the principle of sanction and reward for the individual employee, this control puts security directly within the mission of the entire enterprise, rather than being in conflict with it.
Managers are faced with the task of allocating resources in the presence of the economic realties of scarcity.[40] One way processes can aid people is through a vigorous security awareness program. Enterprises budget great resources to train employees, and that training should extend to ongoing security awareness. It is in the interest of the enterprise and the people working in it to be aware of security risks and controls. Doing due diligence not only means establishing sound policies and controls; it also means making sure the people working within the framework of those policies and controls are aware of them and willing to abide by them rather than fight or attempt to subvert them.
Conclusion
In summation, consistency and communication build awareness, trust, promote ownership, and leadership. There is a long-term value in sound security practices that comes from integrity and reputation that cannot be measured in the short run with traditional measures of ROI, IRR, or NPV. All risks are ultimately nebulous and are solely at the discretion of the bad guys, circumstances, accidents, human error, etc. Just as guessing is not productive, hard data about events that do not occur is useless.
Security managers must advise executives of the necessity of a proactive security infrastructure not only to justify its cost, but so that top management will embrace the cause and lead. It is by their example that those under them will conduct themselves. The effort to justify the costs of security may take considerable tact and the patience of Job. Some executives will not believe that spending more resources on information security in the absence of a return is worth the expense unless they understand security in the first place. It is incumbent on the security manager to impart this understanding to top management.
Today’s enterprises face greater risk in the expanding Internet age. The increasing ease of information sharing is accompanied by the proportionally rising risk of doing so. The costs of security are rising along with that risk. Managers must control costs to gain competitive advantage in an increasingly competitive global market. The costs of security cannot be managed unless they are recognized as costs. Security managers must both establish the reality and justify the costs of information security to executives. For top managers to buy-in, security managers must make the sale.
Appendix
Figure 1: Percentage of IT Budget Spent on Security

Source: Computer Security Institute, 2004.[41]
Figure 2: Dollar Amount of Losses by Type

Source: Computer Security Institute, 2004.[42]
Table 1: Terms and Concepts Used in the Framework
| Category of Threats | a set of related misuses and attacks that pose threats to the organization |
| Category of Preventions | a set of recommendations that sufficiently mitigate a Category of Threats. A Category of Preventions has a one-to-one relationship with a Category of Threats. |
| Baseline Risk | incident risk to the organization if no security solutions are in place |
| Bypass Rate | probability that an attack will penetrate a given security solution and result in observable damage. A 100% bypass rate means the security solution does not stop any incidents; a 0% bypass rate means the security solution stops all incidents. |
| Residual Risk | incident risk to the organization if security solutions are properly installed, utilized, and monitored. Residual Risk = Baseline Risks x Bypass Rate. |
| Net Present Value (NPV) | the present value of an investment’s future net cash flow minus the initial investment |
Source: SQUARE Team (2004).[43]
Selected Bibliography
Baye, Michael, R. (2003). Managerial Economics and Business Strategy. Boston, MA: McGraw Hill.
Bosworth, Seymour and M.E. Kabay. (Editors). (2002). Computer Security Handbook, 4th Edition. New York, NY: John Wiley & Sons.
Coverdale, Andrew and Dan Robinson. (1997). The Bunch Attack: Using Compressed Formations in the Passing Game. Champaign, IL: Sagamore Publishing, Inc.
Horngren, Charles, T., Gary L. Sundem, and William O. Stratton. (2005). Introduction to Management Accounting. Upper Saddle River, NJ: Prentice-Hall.
Marcinko, Richard and John Weisman. (1992). Rogue Warrior. New York, NY.: Pocket Books.
Parker, Donn B. (1998). Fighting Computer Crime: A New Framework for Protecting Information. New York, NY: John Wiley & Sons.
End Notes
[1] Computer Security Institute, 2004 CSI/FBI Computer Crime and Security Survey, p. 4. Available:
http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml
[2] Ibid., p. 2.
[3] Ibid., p. 10.
[4] Ibid., p. 2.
[5] Berinato, Scott. (February 12, 2002). Finally, a Real Return on Security Spending. CIO Magazine. Available:
http://www.cio.com/archive/02150z2/security.html
[6] Ibid.
[7] Parker, Donn B. (May 2003). Interview by CSOinformer. Available:
http://www.breakwatersecurity.com/resources/donn_parker.html
[8] Ibid.
[9] Parker, Donn B. (August 2002). Motivating the Workforce: The Key to Good Security (Part 2 of 2). Interview by RedSiren. Available:
http://www.redsiren.com/securityWireAugust.html
[10] Mimoso, Michael S. (June 2002). Security Decisions: Time for people, processes to supersede technology. Available:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci835501,00.html
[11] Hallberg, Carl, Arthur E. Hutt, and M.E. Kabay. (2002). Management Responsibilities and Liabilities. Computer Security Handbook, 4th ed., by Seymour Bosworth and M.E. Kabay. New York, NY: John Wiley & Sons, p. 45.3.
[12] Rudolph, K., Gale Warshawsky, and Louis Numkin. (2002). Security Awareness. Computer Security Handbook, 4th ed., by Seymour Bosworth and M.E. Kabay. New York, NY: John Wiley & Sons, p. 29.3.
[13] Jacobson, Robert V. (2002). Risk Assessment and Risk Management. Computer Security Handbook, 4th ed., by Seymour Bosworth and M.E. Kabay. New York, NY: John Wiley & Sons, p. 47.5.
[14] Blakley, Bob. (Fourth Quarter, 2001). Return on Security Investment: An Imprecise but Necessary Calculation. Secure Business Quarterly, p. 1. Available:
http://www.sbq.com/sbq/rosi/sbq_rosi_calculation.pdf
[15] Ibid., p. 2.
[16] Anthes, Gary H. (February 17, 2003). ROI Guide: Internal Rate of Return. Computerworld. Available:
http://www.computerworld.com/managementtopics/roi/story/0,10801,78524,00.html
[17] Ibid.
[18] Anthes, Gary H. (February 17, 2003). ROI Guide: Net Present Value. Computerworld. Available:
http://www.computerworld.com/managementtopics/roi/story/0,10801,78530,00.html
[19] Ibid.
[20] Worstell, Karen, Mike Gerdes, and M.E. Kabay. (November 1, 2000). Net Present Value of Information Security. Date of publication provided by Hallberg, Hutt, and Kabay in Management Responsibilities and Liabilities, supra at 11, p. 45.11. Available:
http://www.developer.com/security/article.php/640831
[21] Ibid.
[22] SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies (2004), p. 1. Available:
http://www.cert.org/archive/pdf/SQUARE_Cost.pdf
[23] Horngren, Charles T., Gary L. Sundem, and William O. Stratton. (2005). Introduction to Management Accounting. Upper Saddle River, NJ: Prentice-Hall, p. 200.
[24] Ibid., p. 24.
[25] Ibid., p. 25.
[26] Parker, Donn B. (1998). Fighting Computer Crime: A New Framework for Protecting Information. New York, NY: John Wiley & Sons, p. 270.
[27] Ibid., p. 268.
[28] Ibid., p. 273.
[29] Ibid., p. 284.
[30] Ibid., p. 285.
[31] Ibid., p. 500.
[32] Personal communication, May 18, 2005, Plano, Texas, attended by the author.
[33] Coverdale, Andrew and Dan Robinson. (1997). The Bunch Attack: Using Compressed Formations in the Passing Game. Champaign, IL: Sagamore Publishing, Inc., p. 69.
[34] Marcinko, Richard and John Weisman. (1992). Rogue Warrior. New York, NY.: Pocket Books, p. 332.
[35] Ibid., p. 348.
[36] Parker, Donn B., op. cit., p. 334.
[37] Ibid., p. 336.
[38] Ibid., p. 463-464.
[39] Ibid., p. 462.
[40] Baye, Michael, R. (2003). Managerial Economics and Business Strategy. Boston, MA: McGraw Hill.
[41] Computer Security Institute, op. cit., p. 4.
[42] Ibid., p. 10.
[43] SQUARE Project, op. cit., p. 4.
