Hi all,
I'm terribly sorry for this type of quoting, but It's the only way I can manage
from my pocketpc.
For first I think that ROI is a wrong economic indicator to manage and maybe
justify your budgeting operations or investments in IT Security.
When using approaches based on economic indicator we must use the appropriate
ones.
ROI, for me, is too simple and discrediting for analyzing an IDS/IPS based
investments.
The reason is quite simple; I know that this is a techical list and not an
economic one, but I'll try to explain as simple as I can.
The ROI doesn't analyze two important things when calculating this kind of
investment:
1) price of the invested money
2) THE RISK OF THE INVESTMENT.
Furthermore we must understand that IDS/IPS rarely are used to "CREATE
BUSINESS" in a company non-it but profit-oriented, they're usually made for
countermeasure and/or forensic analisys.
So another IMPORTANT point of view consist in discriminating TWO kind of
companies:
1) which use IDS/IPS for CREATING MONEY; such as security consultants or IT
Security based enterprises
2) which user IDS/IPS as an "addendum" to the company' IT Services making them
"better"
Another important concept is that IDS, is a "semi-intangible object".
Is easier for us to calculate the ROI for a Server or for a Switch, they are
"physical", so, for example, I introduce the "New-Server" in my scenario and
the better velocity may be the real-reason that justify my investment.
It's difficult to say the same thing for an IDS/IPS. For these we usually
listen an investment reason such as "if we don't use and IDS/IPS our network in
danger"
So from here, only a good risk analisys can justify the investment, not the IDS
Product.
So the only theory applicable, as soon as I know, for this king of investment
is the "VALUE ADDED THEORY".
In an accounting analytics manners we maybe use the "payback period" as the
only arithmetical indicator.
The economic indicators that better explain the ROSI (Return on Security
Investment) are the financial ones, not the arithmetical ones.
So, for first, in the "VALUE ADDED THEORY" we can begin to "think" using these
indicator:
+ discounted cash flow analysis (DFC)
+ net present value (NPV)
Net Present Value best tie the investment decision to the company objectives,
for IT-Secyurity enterprises.
NPV furthermore, is able to compare different investments of the same kind.
So, on the same way we can discuss the BEST ECONOMIC INDICATOR for these kinds
of investments the EVA [TM Stern Stewart & Co].
EVA is a Performance indicator, It explains the effectiveness of the invested
money or the "super-yeld" procuced using the risk capital.
Applying it to an entire company or a single Organization/production Unit, is
simple to understood how and when an investment add or destroy value.
EVA = NOPAT ? Capital charge
NOPAT = net operating profit after taxes
These is my 5 Cent, please don't blame me for this brain storming, any opinions
will be appreciated, don't esitate to contact me in private way :-)
Best Regard
Lombardo Federico, IT Security
Grandi Stazioni S.p.A.
Italy
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
