To determine our return on security investment (ROSI) we simply subtract what we expect to lose in a year (ALE) from the annual cost of intrusion.

Doing this equation yields the Annual Loss Expectancy.

E is the dollar savings gained by stopping any number of intrusions through the introduction of an intrusion detection tool.

R is the cost per year to recover from any number of intrusions.

(R-E) + T = ALE

R - (ALE) = ROSI

The Earlier You Invest in Security, the Greater the Return

Researchers found that you get a 21% return on your security investment at the software design phase, a 15% return at the implementation stage and a 12% return at the testing stage.

RETURN on security investment

SOFTWARE ENGINEERING PROCESS

source: MIT/Stanford/@stake

For More Information on the Economics Behind Security

www.digitaleconomist.com

A good primer on economic terms and techniques, including concepts such asindifference curves.

cisac.stanford.edu/docs/soohoo.pdf

Stanford economist Kevin Soo Hoo’s thesis on quantifying infosecurity. It’s a little math-heavy, but it contains excellent data on the history of the problem and a proposed model for fixing it.

www.cert.org

The CERT website has an entire page devoted to emerging research on survivability and the quantification of it. It includes the research highlighted here.