Return on Security Investments: Towards a Methodological Foundation of Measurement Systems

vom Brocke J; Buddendick C; Strauch G

Abstract

IT-security has become a key topic for nearly every company nowadays. To safeguard security, investments in technical and organizational infrastructures have to be made. The efficiency and effectiveness of these investments can often be hardly determined due to the invisibility of their benefits. When implementing IT-security measures, the predicted outcome, e.g. prevented losses, is uncertain in two ways. First it is not certain that one measure and the corresponding investment will prevent a certain risk to occur in the future and second the seriousness of the prevented incident is hard to calculate. In research and practice the calculation of ROSI (Return on Security Investments) is recommended. A vital discussion about different approaches to calculate this ratio can be observed. Within this article we argue that existing approaches lack of a sound theoretical base for calculating this ratio. We therefore apply principles of capital budgeting to present a framework to enable decision support when investing in ITsecurity measures. This framework comprises means of simulation in order to take the uncertainty of the investment situation into account. By sensibility analysis and RiskChance profiles decision makers can incorporate their individual risk preference in a specific situation.

Keywords
IT-security