Framework for Calculating Return on Security Investment (ROSI) for Security-Oriented Organizations

Highlights

• Justifying security investments always remained a challenge for managers.

• Research work focuses on identifying limitations present in traditional approaches.

• It proposes a framework for calculating ROSI based on the Bayesian theorem.

Abstract

Today’s business environment is extremely dynamic and reliant on innovative Information Technology (IT). Such dependence upon technology leads to an increased rate of successful cyber-attacks whose impact is greater than ever. Due to the exponential increase in security breaches, companies should secure their IT systems by adopting appropriate risk management framework. Organizations have to make justified investments in cyber security. However, it is quite challenging to convince higher management to invest in security measures, since such investments cannot be exactly translated into profits. The Return on Security Investment (ROSI) holds great importance to justify such security investments. A large number of ROSI solutions have already been proposed. However, these solutions do not provide any approach to analyze the impact of single security investment upon whole infrastructure. Furthermore, uncertainty of security incident emerges as another important challenge. The existing ROSI frameworks work on approximations, which can be influenced by employees’ exposure and experience, resulting in wrong estimation. The objective of this research is to propose a comprehensive framework to measure ROSI effectively by overcoming gaps in the traditional approaches. The framework has been validated with the help of Common Vulnerability Security System (CVSS) attack dataset. The results show that the annual loss in the absence of security mechanisms is very high i.e. 585,553. However, by following the proposed systematic approach to determine ROSI, it can be reduced to 146,388 which is comparatively low. As a result, organization can save its resources, time, money, trust, and reputation in the market.

Introduction

In today’s technology-driven world, companies are largely dependent on IT for the fundamental business procedures. IT forms the base of key business processes and is not only a rationalization tool any more [1]. Such technological dependence has increased the number of successful security breaches to a great extent [2]. British Insurance Company, Lloyd’s, in a report states that cyber security breaches result in 400 billion dollars loss per year [3]. Moreover, according to 2018 HISCOX Small Business Cyber Risk report [4], $47$% of the small organizations experienced at least one cyber-attack during last year whereas $44$% of them had two to four attacks. Gartner, a global research company, estimates that the business organizations around the globe are expected to invest almost 170 billion dollars on cyber-security in the coming five years [5], it also predicts that the total spending on information security will reach 93 billion dollars in 2018 [6]. According to 2017 Cost of Cyber-crime study [7], the average cost of cybercrimes has increased by $62$% during the last five years. At the moment, the business organizations need proactive security measures to prevent the business losses. Therefore, the significance of information security is immensely enhanced over the last couple of years.

Despite the increasing need of cyber security, convincing executive management to invest in security measures is the biggest challenge faced by the security managers today. Before spending money, decision-makers want to know whether that investment can be financially justified in terms of profits or not. The executive management really does not care that Intrusion Detection System (IDS) or firewall protect servers of the organization. Instead, they are more concerned about knowing the impact of such security measures upon the bottom line. It is important to consider that security investments cannot be directly translated into monetary profits, but they can prevent business losses considerably [8]. Therefore, to describe the significance of security investment, it is essential to demonstrate the impact of lack of security mechanism upon productivity. It is significant for the security managers to explain the severity of security breach with respect to a potential loss for the organization. ROSI is an effective approach to justify such investments as it helps in identifying

• Cost-effective solution

• The right amount of money to invest in security

• Impact of security investment on productivity [9]

Numerous methodologies of ROSI exist to help decision makers but they pose great challenges in the domain of cyber security [9]. These frameworks lack some important inputs especially required for cyber security investment. One of the limitations is that these frameworks do not calculate the likelihood of a particular threat mathematically rather the probability of attack occurrence is usually determined by experiences and exposure of employees. Therefore, reliable approximation of risk by using same approach is challenging and organizations usually end up getting different results even under the same conditions [8]. Another important limitation of existing frameworks is that they do not consider the impact of single security investment on the whole architecture of organization. In almost all the cases, a security investment prevents multiple cyber-threats. Traditional approaches allow security managers to observe the benefit of an investment against single problem domain. In contrast, investments in cyber security impact whole infrastructure. One security investment can protect multiple assets against different threats and vice versa. It is, therefore, essential to have a holistic picture of all security investments against multiple threats upon the whole architecture.

This paper proposes a framework for calculating ROSI by overcoming gaps in the existing literature. Our proposed methodology calculates the impact of an attack on the whole business by considering its effect upon all critical assets. For determining likelihood of cyber-attack, we have used the Bayesian theorem [10], [11] that will overcome uncertainty to a reasonable extent. This method is well established and tested. Its inclusion in estimation and uncertainty will be very useful and productive if applied properly [12]. The rest of this research is organized into five sections. Section 2 is literature review, which discusses existing ROSI mechanisms along with their strengths and weaknesses. Section 3 proposes a framework for calculating ROSI that can assist managers to invest in security. Section 4 is about the evaluation of the proposed framework by comparing it with existing ROSI frameworks. Section 5 concludes the research along with some future directions.