CIOIN

Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one to boot, in order to be viable. It's become a big deal in IT security, too. Many corporate customers are demanding ROI models to demonstrate that a particular security investment pays off. And, in response, vendors are providing ROI models that demonstrate how their particular security solution provides the best ROI. It's a good idea in theory, but it's mostly bunk in practice. 'ROI' as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context. But as anyone who has lived through a company's vicious end-of-year budgetslashing exercises knows, when you're trying to make your numbers, cutting costs is the same as increasing revenues.

So, while security can't produce ROI, loss prevention most certainly affects a company's bottom-line. And a company should implement only security counter-measures that affect its bottom-line positively. It shouldn't spend more on a security problem than the problem is worth. Conversely, it shouldn't ignore problems that are costing it money when there are cheaper mitigation alternatives. A smart company needs to approach security as it would any other business decision: costs versus benefits. The classic methodology is called annualized loss expectancy (ALE).

Calculate the cost of a security incident in both tangibles like time and money, and intangibles like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk. So, for example, if your store has a 10 percent chance of getting robbed and the cost of being robbed is Rs 4 lakh, then you should spend Rs 40,000 a year on security. Spend more than that, and you're wasting money. Spend less than that, and you're also wasting money. Of course, that Rs 40,000 has to reduce the chance of being robbed to zero in order to be cost-effective. If a security measure cuts the chance of robbery by 40 percent - to 6 percent a year - then you should spend no more than Rs 16,000 on it. If another security measure reduces it by 80 percent, it's worth Rs 32,000. And if two security measures reduce the chance of being robbed by 50 percent and one costs Rs 12,000 and the other Rs 28,000, the first one is worth it and the second isn't. The key to making this work is good data. If you're doing an ALE analysis of a security camera at a convenience store, you need to know the crime rate in the store's neighborhood and maybe have some idea of how much cameras improve the odds of convincing criminals to rob another store instead.

You need to know how much a robbery costs: in merchandise, in time and annoyance and in employee morale. You need to know how much not having cameras costs in terms of employee morale; maybe you're having trouble hiring salespeople to work the night shift. With all that data, you can figure out if the cost of the camera is cheaper than the loss of revenue if you close the store at night - assuming that the closed store won't get robbed as well. And then you can decide whether to install one. With all the need for data, you can already begin to see why this model doesn't work.