security & ROI: an oxymoron

When considering an investment, CFOs always want to see a return on the investment. How much does the investment cost? How much money does the company get back, and when? Some Chief Security Officers are still struggling with that equation, although it does not apply to security investments.

about the security ROI

To be convinced let’s look at an article from Bruce Schneier. Although this article is from 2008, it is still valid. In a nutshell, Mr. Schneier states that if you want to calculate an ROI, you need to understand the cost of an incident. Based on that cost, you can establish the investment you can make: it should not be greater than the potential cost of the incident.

According to Bruce Schneier, different factors are affecting this approach:

  • The cost of an incident is unknown. All estimations found are fantasist, making them varying significantly between the different interpretations.
  • The likelihood of an adverse event happening is highly subjective.

I would like to add another one: the residual risk. You cannot have a control that will reduce your risk to zero. So an investment of 1000€ targeting a cost of 1000€ is a wrong calculation because you still risk having  a successful attack whatever your controls are. So,  you also need to estimate what will be the cost of an adverse event despite the actual investment.

As we can see there are too many uncontrolled variables in this approach. The ROI in security simply does not work.

So what does this mean?

Instead of focusing on the financial point of view, we have to focus on the needs for the investment. We can distinguish three different categories: the legal, the business oriented and the risk delegation…

legal and mandatory controls

With governments wanting companies to better manage their IT, we see more and more mandatory controls to be implemented. With the new laws around Private data, especially in the European Union, the security investments needed will be growing.

You cannot avoid those investments. The best approach is to stay aware of what is going on in this area. This will help you understand which laws will affect you and how. Just as importantly, it will also provide you with a target date by when those investments should be done and all related projects finished!

Using this knowledge, you can start integrating the legal requirements in all single projects. This allows you to avoid a big hit to your budget on D-day. However this simplistic approach is not always feasible. We end up with a simple question: what is the minimum amount of money that I should invest to be compliant with the upcoming laws?

“business requested” controls

Any companies should regularly run a risk analysis to understand where they stand, what risks are they willing to accept. This analysis will highlight the risks which needs to be reduced.

This category of investments can also be divided into two groups. There are some security measures that must be considered as a commodity. The desktop antivirus is a very good example. Nobody is contesting the fact that we need antivirus software on PCs. Most of the time it is not taken out of the security budget, but is part of the total cost of ownership of a PC. It would make no sense to try to establish an ROI on antivirus software. This applies to many other security controls: firewalls should be included in any network projects. By doing so, you can transfer those controls outside of the security budget.

On the other hand, not every companies should run an IDS; it depends on the risk appetite of the company. Of course implementing and maintaining such tools may require staff to have some security certifications. If such certifications are a prerequisite to run the business, we’ll find ourselves in the same situation as the legal controls.

risk delegation

We all know that all risks cannot be fully covered. This is a well-accepted fact. This leads some finance guys to accept some risks to avoid some expenses... but there is another approach: the risk you are not willing to mitigate but that you cannot afford to occur, you may want to delegate them to another company. This can be done with insurance.

Using this approach the investment is minimal but you have a way to recover.


Photo credit: © dimasobko -

Michel Nolf

I am providing information security officer consultancy for multinational clients and governmental institutions.  Being paranoiac as any security responsible, I am quite relax at home enjoying family. My work has driven me to work with many different cultures that I am so happy to meet during my vacations.

Working in the security for so much time, I have seen the evolution of the mentality but I dream for more. But dreaming is not enough…Let’s work on it!