Measuring Security Value

With security spanning confidentiality, integrity and availability – it can become quite difficult to understand the value that security brings. Its not as simple for systems to just be online, its not as simple as just hosting data on a set of redundant disks.

In light of GDPR and associated data breach fines, it has become some what easier to lobby for security spend. Taking a different approach, can having good security help the business release products to market faster?

There are several benefits to having security baked into ways of working for the business, which can result in increased customer confidence and a lower likelihood of a data breach.

  • Security brings in several stakeholders, as an end to end understanding of the system is needed (e.g. application, infrastructure, processes etc). This can often make supporting it easier.
  • Good security architecture can help build better IT systems, whilst implementing security requirements (confidentiality, integrity and availability).
  • A risk assessment that has traceability to requirements can highlight business risks, allowing it to make appropriate decisions.
  • Security assurance mechanisms can help maintain the security posture. This helps to ensure data is protected longer term, enabling the business to make safe use of it.
  • Information Security accreditations e.g. ISO 27001 can be used to help give customers and suppliers confidence in the business.

As you can see from the above, there are several benefits of integrating security into the business, so there is some value, but the key question is how to measure it? Whilst this can be difficult, as value is generally subjective, there are some ways in which this can be gauged.

  • Estimate the Asset Value (AV)This is how much the asset it worth to the business e.g. £100,000  
  • Estimate the Exposure Factor (EF) (%)This is how much the business will stand to lose as result of the asset being compromised (risk event) e.g. 30%    
  • From the above, we are able to calculate what the Single Loss Expectancy (SLE)SLE = AV x EF (£100,000 x 30%) = £30,000      
  • If the likelihood of a risk event occurring is once every two years (0.5), thenALE Annualised Loss Expectancy) = £30,000 x 0.5 = £15,000

If the business were to assume that a breach is more likely than not, getting a view on asset value can help plan the security spend, and help demonstrate how much value is being protected by the security counter measures deployed.

Applying a good security architecture, deploying appropriate countermeasures and backing that up with scalable assurance processes can help maximise the value (given that much of this can be re-usable if deployed correctly).