Article Preview
TopIntroduction
When top-level management makes investment decisions it strives to find a balance between risk and reward for the company to meet the overall goals and ambitions. These goals could be defined as single year financial targets combined with annual budgets and rolling forecasts or they could be related to more long-term metrics used to drive a change.
Since 2008, we have witnessed unprecedented changes in the global economic environment that has presented new risks and challenges combined with new technologies, where some have helped improve security controls and some have brought new risks and concerns.
Many security professionals struggle with the fact that costs associated with information security incidents can have large components that are difficult to quantify. Security decisions still need not be taken with a complete lack of quantified value. Quite to the contrary, in the manner of any investment request, there are often numerous opportunities to collect data and trend information in order to measure the effectiveness of the investment.
If investments in security are assessed alongside other investment projects it helps to consider them on an equal footing, implying the use of similar (and ideally the same) methods of financial cost projection. Benefits that cannot be measured with quantitative values may mean less to senior management. They may see information security as an inhibitor to their daily operations if the investment is not well aligned with current business activities or is presented in financial terms that seem not relevant to their agenda (Tisakis and Pekos, 2008).
This article is aimed at providing security professionals with a brief introduction to performing cost benefit analyses of security investments and presenting them to management in order to bridge the gap between security professionals and business leaders. It is based on recent reports and previous research on the topic, and should be considered as a summary only. For a deeper analysis and broader perspectives on obtaining support and funding from senior management, please refer to the full reports.