Many people have argued about wondered whether information security can have a computed Return on Investment (ROI). The man who co-wrote the book on ROI, Managing Cybersecurity Resources: A Cost-Benefit Analysis says yes, it’s possible, but in general, “maximizing the ROI (or IRR [real economic rate of return]) is, in general, not an appropriate economic objective.” What, then?

Rather than trying to derive the ROI of security investments, a much better strategy is to work on the related issues of deriving an optimal (or at least desirable) level of information security investments and the best way to allocate such investments. This strategy is the focus of the Gordon-Loeb Model (for a brief summary of the focus of this model, and a link to the actual paper, go to: (http://www.rhsmith.umd.edu/faculty/lgordon/Gordon%20Loeb%20Model%20cybersecurity.htm

— Email from Dr. Lawrence Gordon: Security ROI possible but not optimal, use other metrics, Posted by Kenneth F. Belva, bloginfosec.com, 18 July 2007

Belva reads the recommended paper and finds it to say:

The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.

From which Belva concludes that “we do understand Information Security to have a return.” Well, yes. Continue reading →