Security Is Still Loss Avoidance

One of you (who wishes to remain anonymous) sent me a link to the story Value Made Visible in response to my Real Technology ROI post. Here is the CSO magazine core argument.

[The] Value Protection [Metric] is [Bruce] Larson's attempt to overcome security's classic problem of seeming like nothing but a drain on the business...

The basic Value Protection metric is a ratio that looks like this: Value Protection = Normal Operations Cost ($) – Event Impact ($) / Normal Operations Cost ($)...

Larson's metric just subtracts the cost of security events from the normal cost of doing business, then divides by that same operations cost to get a ratio.

I'm sure that's been published somewhere before, or at least something very similar. I'm too lazy to check those CISSP books I never open.

Here are some examples from the same article:

Whether it's based on actual events or potential futures, the Value Protection ratio gives security officers a real metric to present and it gives executives a simple, clean picture of security investments' relative value. Here are three examples of how it could be used by an organization with a normal operations cost (N) of $1 million:

Example 1. A medium-level virus outbreak costs $70,000 across all operations.

VP = (1,000,000 – 70,000) / 1,000,000 = 0.93

Larson calls a 0.9 ratio "exceptional." A Value Protection ratio of 0.93 probably doesn't require more investment or lowering of event impact, especially if trying to increase the ratio would take away from investment in other areas where Value Protection isn't as strong.

Example 2. An insider fraud attack causes $500,000 in response and recovery costs, lawyers' fees, insurance costs and unrecouped stolen goods.

VP = (1,000,000 – 500,000) / 1,000,000 = 0.5

In rare instances where high risk is tolerable, such as a high-level R&D project, protecting half the value of an investment might be acceptable. But in most cases, value protection of 0.5 is "usually pretty bad," Larson says. And that makes sense: It means your security is a 50/50 proposition.

Example 3. A network vulnerability leads to customers' personal data being stolen, resulting in $1.2 million in damages from response and recovery, lawyers' fees, government fines and other ancillary costs, as well as a significant drop in stock value after negative publicity.

VP = (1,000,000 – 1,200,000) / 1,000,000 = -0.2

Negative ratios are a clear sign that an organization doesn't have the proper information security defenses in place, as it means that security events have or potentially will cost more than operations is spending to stop them. Immediate steps should be taken to fortify the information security controls.

Ok, this is all very interesting. However, it doesn't change the fact that security is still loss avoidance. Mr. Larson is not calculating any return on security investment. His American Water company is not any more productive, in the absence of threats, when he spends money on security.

When threats are present, security helps American Water serve its customers. American Water can't serve any more customers because of security.

One last excerpt: This "VP" is either being nice or he doesn't understand business very well:

"It adds value; we're very supportive of it," says Steve Schmitt, American Water's vice president of operations, of Larson's Value Protection metric.

Sorry Mr Schmitt, but your American Water operations create value. Security spending helps avoid loss of that value.

This is not to say that I oppose security spending. How could I -- I am a security professional! However, I also recognize that security is like insurance. You cannot buy insurance and as a result have your business be more productive or profitable.