Good point Mathew. I should also say that there has been some excellent
research done on the impact of information security breaches on the
market cap of affected firms (which directly impacts their cost of
capital):
âThe Effect of Internet Security Breach Announcements on Market Value of
Breached Firms and Internet Security Developersâ; Huseyin Cavusoglu,
Birendra Mishra, Srinivasan Raghunathan; The University of Texas at
Dallas School of Management February 2002
The economic cost of publicly announced information security breaches:
empirical evidence from the stock market Katherine Campbell, Lawrence
A. Gordon, Martin P. Loeb and Lei Zhou Accounting and Information
Assurance, Robert H. Smith School of Business, University of Maryland,
2003 (googling will turn up links)
However, I have found only two and the differences in their conclusions
indicate to me that it is still a moving target. E.g., the first study
found that the type of attack that occurred didn't matter. While the
UMD study found that a breach of 'confidential information' saw a 5%
drop in stock price while firms suffering a non-confidential breach saw
no impact. I read it as the market over time learning the difference
between a DOS attack and the posting of customer's credit cards online.
These docs may be closer to what you were asking about in the original
post, a broad market survey about the economic benefits of investing in
info sec.
Nick
On Thu, 2005-01-20 at 16:15 -0600, Matthew Caston wrote:
Zaklina,
You may want to investigate (Average) Annual Loss Expectancy (AALE or
ALE) as a variable in your analysis - it can serve as a guidepost, and
should certainly be considered during any risk analysis/ROI exercise.
Do a search on the cio.com or csoonline.com sites - I know they've
published several pieces relevant to your question and have hosted
several moderated discussions..a quick look shows they have a number of
links to applicable resources.
Good Luck....
Zaklina Supica wrote:
Nick,
Thanks for your answer. I'm aware of situation that every organization
has different process of ISMS implementation. What I'm trying to do is
to analyze and find the best way how to calculate security investment.
Is it a cap, ROI, NVP... or some other known method, to me it doesn't
matter.
I will appreciate every good advice on that subject. I just want to see
as realistic number as possible.
Zaklina
-----Original Message-----
From: Nick Owen [mailto:nickowen@mindspring.com]
Sent: Monday, January 17, 2005 9:00 PM
To: Zaklina Supica
Cc: security-management@securityfocus.com
Subject: Re: ROSI
Zaklinka:
You won't be able to find much, if anything about the economics of
implementing BS 7799 because I suspect that each implementation would be
very different and that no one has aggregated the information - perhaps
because few companies actually track it. Rather, they are forced to
comply to some standard by a large customer or a government regulation.
As for ROSI, I'm not a fan of ROI and its ilk as it can lead to
distortions in decision making, in particular for info sec. Information
security investments should be about risk mitigation and ROI doesn't
take risk into account. Say you have two projects: invest $20k and
return $2k/period and invest $10k and return $1k/period. The ROI and
payback are the same. But, if the first project is riskier than the
second, you should do the second. ROI won't tell you that. Using a Cap
rate, NPV, IRR or economic profit would.
You can read more at my (new) blog:
http://www.wikidsystems.com/WiKIDBlog,
HTH,
nick
On Sat, 2005-01-15 at 12:14 +0100, Zaklina Supica wrote:
Hi,
I'm very interested in some data about ROSI in general, and some
figures ($) about ROSI and BS 7799 complied ISMS (if they exist).
Thanks,
Zaklina Supica
Tel: +385 1 6129 781
Fax: +385 1 6129 889
http://security.lss.hr
--
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
