Measuring the risk-based value of IT security solutions

Abstract

Information security problems cost millions of dollars for US companies and billions for the overall US economy. Nowadays, the question is not whether organizations need more security, but how much to spend for added security. And yet investing in IT security has always been a hard sell for IT managers. Scores of security technologies are on the market and, if anything is certain, it is that none of them can guarantee security. Each choice involves risk. The problem is that security managers lack structured cost-benefit methods to evaluate IT security solutions in light of prevailing uncertainties. A framework can help evaluate the costs and benefits of IT security solutions using a company's risk profile. Using an unconventional concept, this framework bases benefit on avoided risk rather than increased productivity. Lawrence Berkeley National Laboratory (LBNL) uses this framework to help demonstrate to management and auditors that it is significantly less expensive to accept some damage from cyberattacks than to attempt to prevent all possible damages. This pragmatic approach continues to enable LBNL's cybersecurity staff to optimize security countermeasure investments and reduce spending without sacrificing protection. The framework described here uses a risk management approach that integrates risk profile with actual damages and implementation costs to determine the costs and benefits of information security solutions. This approach requires reasonably voluminous data and is thus well suited for organizations with extensive incident data or when the consequences of incidents are high enough to warrant extensive data gathering.