1
Perspectives on evaluating IT Security
Investments
Irvan Smit
University of Amsterdam
Abstract. Hackers, computer viruses and cyber-crime have a big impact on
today’s society and businesses. Therefore, businesses invest in their IT security in
order to prevent, or at least minimize the impact information security breaches.
Often the budget for IT security investments is limited, due to the large number of
data that needs to be protected. An important question that raises, is how business
should evaluate their return on security investments. In this essay, three wellknown
approaches on return on investment models are presented regarding
financial measures. It is concluded that none of the models presented, cannot be
single handed used to determine time and costs that should be spend, because they
are limited and controversial. However, the models provide a good foundation for
further research regarding evaluating IT security investments.
Keywords. Security, Investments, IT, ROSI, BITA
1. Introduction
Nowadays, we hear daily about security breaches getting more omnipresent, bigger and
costlier than ever before (Böhme & Moore, 2016). In the business world, it is hard for
professionals who are responsible for security budgets, to justify their investments
(Davis, 2005). It raises an essential question. How much time and money should be
invested in IT security? The evaluation of IT security investments is for the last 20
years very controversial in the scientific literature and the practitioners' literature
(Royer & Meints, 2009).
In this essay, three well-known models on return on security investments (ROSI)
are discussed, that focus on financial measures. The structure is as follows. In section
two the strategies on IT security are described, in section three are models described on
evaluating IT security investments, in section four the topics are discussed and
conclusions drawn. Lastly, in section five, a reflection on this research is made.
2
2. Strategies concerning IT security investments
There are several aspects to take into consideration regarding security investments.
First of all is to determine the IT Security Infrastructure, this is the base for a safe
environment. Furthermore, it is an extensive plan in order to shield the information
resources and its confidentiality, trustworthiness and accessibility. Cavusogly et al.
(2004) describe that a plan regarding IT security, is composed of policies, processes,
risk inventory and a system architecture. Unfortunately, there is no single way or
technique that can guarantee full security (Cavusoglu, Mishra & Raghunathan, 2004).
From the security perspective, one of the main components of the operational
environment is the behavior of attackers (Cremonini & Nizovstev, 2006). To minimize
the impact of cyber attacks, businesses invest in techniques that could counter attacks
or at least mitigate the impact and its damage (Demetz & Bachlechner, 2013).
Before spending money on certain recourses, it is required that there are strong
relationships between business and IT domain. Not only at strategic level, but also at
tactical and operational level (El Mekawy, Al Sabbagh & Kowalski, 2014). There are
many examples that business fail to achieve values and advantages from immense IT
Investmens. This is particularly liable to an absence of Business and IT (BITA)
(Leonard & Seddon, 2012).
3. Models on evaluating IT security investments
Assessing value of information technology and the investment in related technologies,
is becoming crucially for decision making within organizations (Hitt & Brynjolfsson,
1996). However, it is controversial to take the integrity of the statistics for granted. For
example, the Computer Security Insitute (CSI), states that their data on security
breaches is not always conducted from scientific research but it gives more an
indication of a possible practice to counter security attacks (Magnusson, Molvidsson &
Zetterqvist, 2007). Fortunately, the literature provides plenty of approaches and
perspectives regarding ROSI.
3.1. Approach by Gordon and Loeb
The most cited model regarding IT security investments, is presented by Gordon and
Loeb. The main characteristic of this model is that it suggests that if the threat and
expectations are unsure, it is better to let a breach occur before investing a certain
amount in IT security (Sommestad, Ekstedt, & Johnson, 2009). The Gordon-Loeb
model (GL Model), consists of many mathematical equations. As a result of these
equations, they conclude that the ideal investment is 37% of the worth of the complete
information set. (Gordon, Loeb & Zhou, 2016). This cost-benefit can be seen in figure
1.
3
Figure 1. The GL cost-benefit model.
Furthermore, an empirical finding concluded that the ideal amount to invest in IT
security, is not always matching with the level of threat. A business could invest less on
defending information that has a higher level of threat than information that has a lower
level of threat. There are examples that this could lead to better results (Tanaka,
Matsuura & Sudoh, 2005).
Additionally, a study showed that an optimal investment of 37% compared to the
total cost of the protected information set, that is suggested by the GL Model, can be
disproved. There are examples where the required investment should be at least 50%,
or configuring the original requirements a little bit, achieving levels close to 100%
exist. Yet, it does not mean that the GL Model is unusable. It is very general and
simple and deserves more extensive research (Willemson, 2006).
3.2. Approach by Sonnenreich et al.
Another frequent cited approach is from Sonnenreich et al. They propose a calculation
that is acquired from the traditional accounting figure return on investment (ROI). ROI
= Expected Returns – Cost of Investment / Cost of Investment. The equation of
Sonnenreich et al. can been seen in figure 2 (Sonnenreich, Albanese & Stout, 2006).
Figure 2. ROSI equation by Sonnenreich et al.
Sonnenreich et al. explain that discovering the correct aspects within ROSI is
challenging, since there is an absence of standardized techniques to determine the
financial risk regarding security incidents. Furthermore, there are no standard models to
determine the risk mitigating effectiveness of solutions and even cost of solutions differ.
However, they argue that using inaccurate ROI metrics can be useful, since businesses
are using it for decades. The key point they claim is that it can be very beneficial to use
steady and repeatable data, despite their inaccuracy.
4
Even though there is an agreement that such metrics can be used in ROI-calculations, it
is questionable to calculate the probability for example a hack through the firewall.
Moreover, even by using accurate statistics are recorded, it does not mean that they can
be generalized to all systems and organizations (De Bruin, Spruit & Van Den Heuvel,
2010).
3.3. Approach of Al-Humaigani and Dunn
The approach by Al-Humaigani and Dunn can be seen as simple. They claim that the
ideal result of an investment is achieved, when the total amount of IT security costs,
breaches and defending techniques is minimal. The determination of ROSI by AlHmaigani
& Dunn can be seen in figure 3 (Al-Humaigani & Dunn, 2003).
Figure 3. ROSI equation by Al-Humaigani and Dunn
This model is mainly based on financial measures, it is a summation of costs,
such as recovery costs from a security attack, data loss and loss in reputation.
From this summation, the costs such as investments in training, hardware and
defending techniques are distracted. KT is the possibility of the occurrence of
the risk not having done any investment. However, despite the clarity and
simplicity, Sommestad et at. claims that this model has its limitations. The
aspects within the model are predetermined, so it is questionable whether this
model can be applied in a dynamic environment. Thereby, the running costs
and Nevertheless, the model could be applied to some extent (Sommestad,
Ekstedt, & Johnson, 2009).
4. Conclusion
The increasing amount of cyber attacks and data breaches has a big impact on society
and business. The ability of business to take countermeasures and investments in their
IT security, remains complicated. The literature is describing many models within IT
security investments, however none of them claim to reach all criteria for a complete
evaluation.
Thereby, because of the lack of scientific collected data regarding cyber-crime,
many assumptions have been made. Therefore, it is difficult to give clear answers on
budget allocation, damage on cybercrime, time and resource expenses. The models
presented should not be single handed applied, since there are many controversies
regarding evaluating IT security investments. However, there is a consensus that the
approaches are reasons for further research in the upcoming years to provide more
insights in evaluating the return on security investments.
5
5. Reflection
The aim of this research was to describe the perspectives on evaluating IT security
investments. As the literature described a myriad of models regarding ROSI,
Sommestad et al. (2009) made a shortlist of ROSI models. Since the focus was on
describing from a financial perspective of IT security investments, three perspectives
from that shortlist with mainly financial measures and frequently cited in the literature
were selected for a detailed analysis.
Furthermore, the issues written at this moment occur in a dynamic environment.
As mentioned in this essay, more research is required regarding evaluating IT security
investments. This has influence on the results of this research, in terms of time validity.
References
Al-Humaigani, M., & Dunn, D. (2003, December). A model of return on investment for information systems
security. In Circuits and Systems, 2003 IEEE 46th Midwest Symposium on (Vol. 1, pp. 483-485).
Böhme, R., & Moore, T. (2016). The “iterated weakest link” model of adaptive security investment. Journal
of Information Security, 7(02), 81.
Cremonini, M., & Nizovtsev, D. (2006). Understanding and influencing attackers’ decisions: Implications
for security investment strategies. School of Business: working paper, 68.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). A model for evaluating IT security
investments. Communications of the ACM, 47(7), 87-92.
Davis, A. (2005). Return on security investment–proving it's worth it. Network Security, 2005(11), 8-10.
De Bruijn, W., Spruit, M. R., & Van Den Heuvel, M. (2010). Identifying the cost of security. Journal of
Information Assurance and Security, 5(2010), 74-83.
Demetz, L., & Bachlechner, D. (2013). To invest or not to invest? Assessing the economic viability of a
policy and security configuration management tool. In The Economics of Information Security
and Privacy, pp. 25-47. Springer Berlin Heidelberg.
El Mekawy, M., Al Sabbagh, B., & Kowalski, S. (2014, June). The Impact of Business-IT Alignment on
Information Security Process. In International Conference on HCI in Business, 25-36. Springer,
Cham.
Gordon, L. A., Loeb, M. P., & Zhou, L. (2016). Investing in Cybersecurity: Insights from the Gordon-Loeb
Model. Journal of Information Security, 7(02), 49.
Hitt, L. M., & Brynjolfsson, E. (1996). Productivity, business profitability, and consumer surplus: three
different measures of information technology value. MIS quarterly, 121-142.
Magnusson, C., Molvidsson, J., & Zetterqvist, S. (2007). Value creation and return on security investments
(ROSI). New Approaches for Security, Privacy and Trust in Complex Environments, 25-35.
Leonard, J., & Seddon, P. B. (2012). A Meta-model of Alignment. CAIS, 31, 11.
Royer, D., & Meints, M. (2009). Enterprise identity management–towards a decision support framework
based on the balanced scorecard approach. Business & Information Systems Engineering, 1(3),
245-253.
Sommestad, T., Ekstedt, M., & Johnson, P. (2009, January). Cyber security risks assessment with bayesian
defense graphs and architectural models. In System Sciences, 2009. HICSS'09. 42nd Hawaii
International Conference on, 1-10.
Sonnenreich, W., Albanese, J., & Stout, B. (2006). Return on security investment (ROSI)-a practical
quantitative model. Journal of Research and practice in Information Technology, 38(1), 45-56.
Tanaka, H., Matsuura, K., & Sudoh, O. (2005). Vulnerability and information security investment: An
empirical analysis of e-local government in Japan. Journal of Accounting and Public Policy, 24(1),
37-59.
Willemson, J. (2006, June). On the Gordon & Loeb Model for Information Security Investment. In WEIS, 1-9