When we at SecureIQLab test security products, we go above and beyond reporting efficacy and cost; we also quantify operational efficiency and a metric we call ROSI: Return on Security Investment. Operational efficiency accounts for costs such as deployment and the ongoing cost of using the product. If a product requires a lot of time to maintain, then a total cost of ownership (TCO) metric is incomplete as it does account for true deployment and ongoing maintenance costs.
Additionally, if a product has a high degree of complexity in configuration, it costs more in terms of employee time and can decreased security efficacy. Complexity is the bane of security. Overly complex solutions can lead to configuration errors. According to the NSA, not only is the prevalence of cloud security misconfiguration widespread, but the level of sophistication required to exploit vulnerable misconfigurations is low.
ROSI includes security efficacy, operational efficiency, and also the potential cost of failure. The potential cost of failure is best approximated by the annualized loss expectancy (ALE). The calculation for ROSI is (Annual Loss Expectancy * Security Efficacy –Total Cost of Ownership)/(Total Cost of Ownership.) Simplified ROSI = (ALE*SE-TCO)/TCO.
The equation is simple enough but requires some fine-tuning to tailor it to your environment. After all, it is unlikely that a breach at your company will result in the average cost of a breach. The cost of a breach is likely to exceed the average when regulations such as HIPPA and PCI come into play. If your company is small and/or obscure, negative publicity MIGHT not be a significant factor. If you are a big company, the losses can be enormous.
But risk tolerance comes into play. Let me give you a made-up metric as a simplistic example of using passwords. I have a password to an encrypted email account. My risk is relatively low. Or if you prefer adversity to risk, I’m very risk-averse. For an online account, such as a news outlet, I have an extremely high-risk tolerance, so functionally, I don’t care if my password is something like “letmein.” There is very little on the line for me when I go to news sites. I still use great passwords, though. A load-bearing beam of security is discipline.
Another factor is how bad can the cost of failure be? Yeah, your company can go out of business, but the threat is not the same for all companies. If a successful breach results in the loss of proprietary information, the cost may range from a loss of market share to going out of business. The cost could be jail time if you hide documents that conceal illegal activities. I won’t ask if you are doing that.
Aside from these considerations, consideration of variables, such as the size of your company and your industry, can help better approximate your ALE. Email security company Tessian has an infographic that breaks down the average cost of a breach by industry. The data is dated but shows how costs can vary by industry. You may find AI systems such as CHAT GPT helpful in finding the information you need, but be sure to validate by checking sources. Just ask the AI system for the sources of the information.
A cyber insurance company may be willing to share information about ALE for your industry and company size. Understanding ALE relative to sector, company size, and, I’m sure, a few other variables is essential for such insurance companies to maximize profits.
Once you have brewed your own ALE, then you might want to tweak ROSI a bit more. Depending on skill levels, product familiarity, and interoperability with other systems, actual operational efficiency costs for a given product may be less for one organization than for another.
We have just released our ROSI calculator for use in conjunction with our recent web application and API protection validation tests. While tailored to this test, it can also serve as a more generic template for your own use.
One final consideration when estimating your ALE. What’s a good night’s sleep worth to you? Depending on that, efficacy may trump ALE. Sleep on it and get back to me!
Randy Abrams
Senior Security Analyst
SecureIQLab