T is the cost of the intrusion detection tool.
To determine our return on security investment (ROSI) we simply subtract what we expect to lose in a year (ALE) from the annual cost of intrusion.
Doing this equation yields the Annual Loss Expectancy.
E is the dollar savings gained by stopping any number of intrusions through the introduction of an intrusion detection tool.
R is the cost per year to recover from any number of intrusions.
(R-E) + T = ALE
R – (ALE) = ROSI
The Earlier You Invest in Security, the Greater the Return
Researchers found that you get a 21% return on your security investment at the software design phase, a 15% return at the implementation stage and a 12% return at the testing stage.
RETURN on security investment
SOFTWARE ENGINEERING PROCESS
For More Information on the Economics Behind Security
A good primer on economic terms and techniques, including concepts such asindifference curves.
Stanford economist Kevin Soo Hoo’s thesis on quantifying infosecurity. It’s a little math-heavy, but it contains excellent data on the history of the problem and a proposed model for fixing it.
The CERT website has an entire page devoted to emerging research on survivability and the quantification of it. It includes the research highlighted here.