Question 1. Information systems have become essential components in most organizations since they enhance efficiency in completing business and organizational operations. The security of this information systems is equally important to ensure their optimum functionality. Most organizations have heavily invested in information systems ranging from enterprise resource planning systems (ERP) to customer relationship management systems among others. These investments will be futile if their security is not guaranteed. Consequently, it is the role of the Computer Emergency Response Teams (CERT) together with the CISO to identify the security measures to be implemented in the organization. Information security efforts and implementation must be factored in the budget to meet various activities and procedures that go into the implementation. It is therefore important to consider the returns on investment that will be realized from information security.
CERTs need to determine their cost-effectiveness in order to justify their budget usage as well as provide supportive claims for the next budgetary allocations. According to ENISA (2012), organizations mainly face challenges while accurately determining the cost and effectiveness of the respective information security activities. This is attributed to the fact that information security investment does not yield profits but it is a loss prevention investment. Despite this challenge, it is important that the organizations have a clear understanding of the benefits and the importance of investing in the security of information systems. Hence the need for Returns on security on investment calculation (Cavusoglu, Mishra & Raghunathan, 2004).
Return on Investment (ROI) calculation is essential for justification of every budgetary allocation in any organization (Cavusoglu, Mishra & Raghunathan, 2004). Security is an investment in both public and private entities. Thus, the return on security investment (ROSI) must be done to determine and justify budgetary allocation for information system security. The ENISA work program states that the executive decision makers should know the impact of security. This will assist them to understand how much they should spend on security and how much the lack of security is going to cost. Additionally, they should identify the most cost-effective solutions that can be adopted (ENISA, 2012). This is only possible with a ROSI calculation.
According to Sonnenreich, Albanese & Stout (2006), ROSI calculation will provide substantial quantitative answers to fundamental questions such as the amount an organization is paying for cyber security, the impact of the lack of cyber security in the organization and whether the security investment is enough. The method uses estimated potential loss (ALE), estimated risk mitigation and cost of the solution variables. This metric can also be applied to the Big Data Analytic (BDA) technology to determine its cost and the potential returns on investment (ENISA, 2012). ROSI calculations can be used to determine whether and organization particularly security companies can implement the technology and be able to realize returns on investment. Most notably, it enables decision makers in this respect to identifying the improvements to be gained from the technology and the losses from lack of implementation.
ROSI calculation has some limitations that are mainly centered on the drawbacks of estimation and the Gordon and Loeb model of calculation. ROSI calculation is based on estimations which make it difficult to estimate the cost of cyber security incidents which vary depending on the environment. Additionally, the ROSI calculation can be manipulated very easily to serve the interest of the user. Secondly, the Gordon and Loeb model popularly used in the metric is an approximate model hence the resulting numbers must be treated with caution (ENISA, 2012).
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). A model for evaluating IT security investments.Communications of the ACM,47(7), 87-92.
European Network and Information Security Agency. (2012). Introduction to Return on Security Investment: Helping CERTs assessing the cost of (lack of) security. Heraklion, Crete, Greece: Author. Retrieved from https://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security-investment/at_download/fullReport
Question 2. Return on security investment (ROSI)-a practical quantitative model.Journal of Research and Practice in Information Technology,38(1), 45-56.Since network security products do not generate revenue, it is necessary to evaluate their worth by considering money saved from potential loss.The concept of Return on Security Investment (ROSI) provides a quantitative value in reference to the benefits attained through an investment in network security technology.“ROSI is calculated by the amount of risk reduced, less the amount spent, divided by the amount spent on controls, resulting in the net amount of risk per amount of control,” (Lindstrom, 2017).This value provides an indicator if the cost for security controls will outweigh the potential liability for penalties incurred due to network security breaches throughout the year.
Cybersecurity technologies are the primary line of defense for network intrusions.It is essential that an organization remain abreast with the latest security software and strategies to defend against emerging security threats.Acquiring the most effective technology requires a cost benefit analysis to ensure a reasonable correlation of mitigated risk is met.ROSI is used to evaluate whether the amount of potential money saved is higher or lower than the recommended security control investment, (Schneier, 2008).This resulting loss or gain will provide guidance as to whether it is cost effective to purchase the recommended security measure or not.
Network security threats are imminent to organizations and network resources everywhere.Increased accessibility of a network resource is generally parallel to an increase in security vulnerabilities.It is essential that all input values be as accurate as possible to assume an effective value of investment.“Unfortunately, the cost of cyber security incidents and annual rate of occurrence are hard to estimate and the resulting numbers can vary highly from one environment to another.These approximations are often biased by our perception of the risk and the ROSI calculation can be easily manipulated,” (ENISA, 2012).The routine probability for error limits the potential effectiveness of the ROSI metric and should be analyzed on a case by case bases.
The ROSI calculation may even be utilized to evaluate the benefits of acquiring appropriate security measures for wearable technology.Take the smartwatch for example, as this product endures similar security vulnerabilities to a standard wireless network resource. There are third party antimalware security applications that may be purchased in addition to the use of advanced security and password features on the device, (Thomas, 2015).It is still necessary to confirm whether this investment in security control technology will yield savings or excess expenditures compared to the predicted losses without it.In this case, the resulting ROSI value may indicate that these low costing security applications may prove to be very cost effective, providing substantial savings against any potential futures losses incurred by a device security breach.
ENISA. (2012). Introduction to return on security investment. Retrieved from
Lindstrom, P. (2017). Return on security investment: the risky business of probability. Retrieved
Schneier, B. (2008, September 2). Schneier on security: security ROI. Retrieved from
Thomas, K. (2015, April 15). How secure is your smartwatch? Retrieved from