Most companies would agree that securing their information assets is worth some investment. It is thus plausible to assume that low levels of IT security investment indicate that only a small portion of the firm’s business is IT asset value driven. It could also point to a misaligned corporate investment policy. Conversely, some firms may be investing more than is warranted given the value of their information asset holdings, thereby wasting shareholder resources. The question then becomes: What level of IT security investment is enough? Several models exist to help companies set their IT spending in general and Information Security spending in particular. The leading model out there is the Information Technology Portfolio Management (ITPM) model. This is really nothing more than financial portfolio management theory applied to the information technology realm. Thus ITPM tries to optimize IT spending based on a number of factors like business value, efficiency and cost reduction among others. Despite current vigorous research at esteemed institutions like the Center for Information Systems Research (CISR) at MIT and at the Free University of Amsterdam, ITPM is still in its infancy and the field would benefit from alternative models. In this chapter, we propose an alternative model of IT security spending that firms may readily apply when setting their Information Security budgets. The model is analytical and starts by developing a model for the business value of information. It then develops a model for the cost of an information security breach. Finally, we find the relationship between the value model and the cost model from.
The global spending on IT may only be considered as leviathan – $1.5 trillion in 2007 according to Forrester (Bartels, 2007), and is the driver for a very large segment of the global economy, especially in the western industrialized countries. At any individual firm, the $1.5 trillion figure typically translates to between 1% and 8% of revenues. Since any firm’s spending is a balancing act amongst multiple competing priorities, it becomes critical for CIOs and IT managers to justify every penny spent on IT.
As we mentioned earlier, the most common model appears to be the ITPM model which views IT spending as an investment just like any other that the firm makes. ITPM then creates metrics, processes and monitoring tools that ultimately measure Return on Investment (ROI) for each IT dollar spent (Symons, 2005).
The Forrester Research cited (Symons, 2005) also reveals that firms are most likely to optimize their IT spending around Business Value. In other words, the firms surveyed decided that the business value of IT spending outweighed other considerations like financial return, cost reductions and even efficiency (see Figure 1).
IT portfolio optimization criteria (Symons, 2005)
This validates a key premise of our model, namely that IT Security Spending is integral to the firm’s value chain. We shall return to this notion of “Business Value” driven IT Security Spending later when we formulate our model.
ITPM however, is still in its infancy, and is fairly complicated to apply, monitor and measure in any given company. Additionally:
ITPM is ultimately based on financial theory of portfolio optimization. While it is plausible that the basic concepts of Modern Porfolio Theory (MPT) – see for example (Markowitz, 1952) - should apply to IT spending, the two problems are sufficiently different that substantial conceptual modifications to MPT are in order before it can make sense to the IT Line Manager. At the very least, it is not clear that MPT is the best approach to model IT Investment Portfolios. For example, the IT Investment portfolio is not as liquid as a stock portfolio, if at all.
ITPM is complicated and thus not easily accessible except to generally larger firms with a fair amount of resources devoted to IT process and operations modeling. This is evident from the Forrester study (Symons, 2005): of the mostly large firms surveyed, only 33% indicated that they had some form of an ITPM process. Combined with its immaturity as a practical model, we speculate that ITPM will not be accessible to a vast majority of firms as a practical tool to use when setting IT spending levels.
Even more ominous, the mentioned Forrester survey found that a vast majority of those firms with an ITPM process (82%) considered it to be an IT initiative. In other words, ITPM was not pervasive enough in the firm to be of any meaningful or lasting value beyond just another IT initiative.
Anecdotal evidence from our Identity and Access Management (IAM) consulting in a wide array of industries from financial services, pharmaceuticals and health care services industries also supports Forrester’s results: most firms we work with, small and large, don’t have any consistent way to model or allocate their IT spending. Rather, they tend to focus on broad goals or generalities, for example:
Key Terms in this Chapter
Information Asset Breach: Compromise of security, in terms of confidentiality, integrity or availability, of assets that support business functions by providing secure access to information.
IT Economics: It is a concept that related to understanding and applying knowledge of costs and benefits of managing IT assets from a monetary terms.
Identity and Access Management: Managing digital identities, of stakeholders such as employees, partners, suppliers, contractors, etc, and access to information resources that are required to perform and support business functions of an organization.
Security Economics: Field of study and area of application that analyzes and evaluates costs and benefits, in financial terms, of acquisition, deployment and maintenance of resources such as systems and personnel to provide security of information and informational assets.
IT Portfolio Management: Process of defining and managing combination of different types of IT resources such as applications, infrastructure, personnel as portfolio; and aim to optimize their utility in terms of business value add.
IT Asset Value: Value of an asset that stores, processes or transmits information in terms of value added to business by deploying and supporting it.
Business Loss Index: The percentage of an organization’s business that is lost due to information security breach.
IT Security: Securing different components of information technology by ensuring confidentiality, integrity and availability of information stored, processed and transmitted by them.