Scribd
Upload
101 views

ROSI - A Practical Quantitative Model

This document proposes a quantitative model called ROSI (Return on Security Investment) to calculate the financial risk of security incidents and the effectiveness of security solutions in a consistent and repeatable manner. It does this by quantifying risk exposure, risk mitigated, and solution costs using metrics like SLE, ALE, ARO and productivity surveys. It also recommends using standardized security assessments from organizations like ISF, NIST and ISO to evaluate overall risk mitigation and provide scoring algorithms to capture changes in effectiveness over time. The proposed SecureMark system aims to provide a standardized benchmark for calculating ROSI that produces consistent, repeatable results correlated to financial performance.

Uploaded by

fellow168950
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
101 views

ROSI - A Practical Quantitative Model

This document proposes a quantitative model called ROSI (Return on Security Investment) to calculate the financial risk of security incidents and the effectiveness of security solutions in a consistent and repeatable manner. It does this by quantifying risk exposure, risk mitigated, and solution costs using metrics like SLE, ALE, ARO and productivity surveys. It also recommends using standardized security assessments from organizations like ISF, NIST and ISO to evaluate overall risk mitigation and provide scoring algorithms to capture changes in effectiveness over time. The proposed SecureMark system aims to provide a standardized benchmark for calculating ROSI that produces consistent, repeatable results correlated to financial performance.

Uploaded by

fellow168950
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 8

ROSI A Practical Quantitative Model

ROSI A Practical Quantitative Model


Challenges or problems to calculating accurate ROSI
No standard model for calculating the financial risk of a security incident No standard methods to determine the risk mitigating effectiveness of security solutions Cost metrics for solutions varies greatly

What could be used to overcome these problems?


Repeatable and consistent metrics (even though not precise)

The ROSI equation:

Quantifying Risk Exposure


SLE : Single Loss Exposure ALE : Annual Loss Exposure ARO : Annual Rate Occurrence

Since there are no standard or methodology for calculating these figures, it is best to focus on: Cost factors that are independently measurable Cost factors that are directly correlate to the severity of the security incident
Examples:
Loss of highly confidential information Productivity Loss due to the security incident

Best way to obtain cost factors to quantify risk exposure in a repeatable and consistent manner:
A good survey and scoring system for productivity External measurements of intellectual property value

Quantifying Risk Mitigated


Conservatively a functioning security solution mitigation percentage is 85%? Cant be so sure about this..
Risks are not isolatable Security solutions do not work in isolation Impact on productivity? Security solutions effectiveness over time?

To better quantify Risk Mitigated:


Use security assessment and give scores to the assessment using consistent algorithm.

Quantifying Risk Mitigated


A good security assessment:
Evaluates risk mitigation of the network s overall security (not in isolations) Captures the impact of implementation choices for usability and productivity Good scoring algorithm will result in the time impact on solution s effectiveness.

Good assessment guidelines are provided by:


International Security Forum (ISF) National Institute of Standards in Technology (NIST) International Standards Organization (ISO)

Good Scoring Algorithms by Artificial Neural Network

Quantifying Solution Cost


The cost of a solution must include the impact of the solution on productivity. Productivity impact can be measured through rerunning the productivity surveys used in estimating Risk Exposure.

ROSI in the Long Term


An amount in lump-sum? Installment payment to enable other investments? NPV (Net Present Value)
Estimated rate of return when money being invested (Discount Rate)

IRR (Internal Rate of Return)


Estimates the rate of the investment s effective earning IRR > NPV is good

NPV and IRR is better than ROI if accurate predictions can be made to the time and costs and benefits for the lifetime of investment.

The SecureMark System


SecureMark System is the practical quantitative model for calculating ROSI Aim to provide a trustworthy standard for security benchmarking
consistent repeatable result Results correlates to financial performance Based on ISO17799, NIST and ISF standards Focuses on productivity (measures the productivity loss due to the current security issues) Thus produces significant factor in the cost of solution

You might also like