Return On Security Investment (ROSI) A Practical Quantitative Model

Wes Sonnenreich, Jason Albanese, Bruce Stout

Abstract

Organizations need practical security benchmarking tools in order to plan effective security strategies. This paper explores a number of techniques that can be used to measure security within an organization. It proposes a new benchmarking methodology that produces results that are of strategic importance to both decision makers and technology implementers. The approach taken reflects a work-in-progress that is a combination of practical experience and direct research.

References

  1. Information Security Forum, “Standard of Good Practice,” See: http://www.isfsecuritystandard.com/index_ns.htm
  2. ISO 17799
  3. NSW Government Office of Information and Communications Technology, “Information Security Guideline,” June 2003. See: http://www.oict.nsw.gov.au/
  4. “Security Metrics Guide for Information Technology Systems Special,” Publication 800-55 US National Institute of Standards and Technology Computer Security Research Centre, 2002. See: csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf.
  5. “The Return on Investment for Information Security” See: http://www.oit.nsw.gov.au/content/7.1.15.ROSI.asp
  6. “The Return on Investment for Information Security” See: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_audience_bus iness_benefit09186a008010e490.html
  7. Calculated Risk Scott Berinato in CSO Magazine, December 2002. See: www.csoonline.com/read/120902/calculate.html
  8. Security Attribute Evaluation Method: A Cost-Benefit Approach Shawn A. Butler, Computer Science Department, Carnegie Mellon University, 2002. See: www2.cs.cmu.edu/Compose/ftp/SAEM-(Butler)-ICSE_2002.pdf
  9. Cost-Benefit Analysis for Network Intrusion Detection Systems Huaqiang Wei, Deborah Frinke et al. Centre for Secure and Dependable Software, University of Idaho. In Proceedings of the 28th Annual Computer Security Conference October 2001. See: wwwcsif.cs.ucdavis.edu/balepin/new_pubs/costbenefit.pdf
  10. A Guide to Security Risk Management for Information Technology Systems Published by the Government of Canada Communications Security Establishment, 1996. See: www.cse.dnd.ca/en/documents/knowledge_centre/publications/manuals/mg2e.pdf
  11. Executives Need to Know: The Arguments to Include in a Benefits Justification for Increased Cyber Security Spending Timothy Braithwaite in Information Systems Security, Auerbach Publications, September/October 2001
  12. Seeking Security Scorecards Chris King, Meta Group (File: 9377), Dec 2001
  13. Analysis of Return on Investment for Information Security: Steve Foster and Bob Pacl, Getronics.
  14. VPN Security and Return on Investment: RSA Solution White Paper
  15. Finally, a Real Return on Security Spending CIO Magazine, 15 February 2002; See: www.cio.com/archive/021502/security.html.
  16. Secure Business Quarterly, Special Issue on Return on Security Investment, Quarter 4, 2001. See: www.sbq.com/sbq/rosi/index.html
  17. Computer World ROI Knowledge Centre at www.computerworld.com/managementtopics/roi
  18. Primer on Cost-Effectiveness Analysis published by the American College of Physicians' Effective Clinical Practice, September/October 2000. See: www.acponline.org/journals/ecp/sepoct00/primer.htm
Download


Paper Citation


in Harvard Style

Sonnenreich W., Albanese J. and Stout B. (2005). Return On Security Investment (ROSI) A Practical Quantitative Model . In Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005) ISBN 972-8865-25-2, pages 239-252. DOI: 10.5220/0002580202390252


in Bibtex Style

@conference{wosis05,
author={Wes Sonnenreich and Jason Albanese and Bruce Stout},
title={Return On Security Investment (ROSI) A Practical Quantitative Model},
booktitle={Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)},
year={2005},
pages={239-252},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002580202390252},
isbn={972-8865-25-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)
TI - Return On Security Investment (ROSI) A Practical Quantitative Model
SN - 972-8865-25-2
AU - Sonnenreich W.
AU - Albanese J.
AU - Stout B.
PY - 2005
SP - 239
EP - 252
DO - 10.5220/0002580202390252