ROI MIT SICHERHEIT

Finally, a Real Return on Security Spending

18.02.2002
Von Scott Berinato

With the research in hand, Soo Hoo, MIT Sloane School of Managementstudent Andrew Sudbury and @Stake Director Andrew Jaquith tweaked thegeneral quality assurance models to reflect the security world, asbased on the Hoover data.

Overall, the average company catches only a quarter of softwaresecurity holes. On average, enterprise software has seven significantbugs, four of which the software designer might choose to fix. Armedwith such data, the researchers concluded that fixing those fourdefects during the testing phase cost $24,000. Fixing the same defectsafter deployment cost $160,000, nearly seven times as much.

The ROSI breakdown: Building security into software engineering at thedesign stage nets a 21 percent ROSI. Waiting until the implementationstage reduces that to 15 percent. At the testing stage, the ROSI fallsto 12 percent.

"Our developers have said they believe they save 30 percent by puttingsecurity in earlier, and it's encouraging to see proof," says MikeHager, vice president of network security and disaster recovery atOppenheimer Funds in Engelwood, Colo. "Executives need answers toquestions like, 'What risk am I mitigating?' We haven't had the meansto educate them without FUD." From numbers like those, he adds, "We'llbe able to sell security from a business perspective."

Hoover keeps growing. The group plans to publish other ROSI numbers.Next up: assigning a statistically valid ROSI to incident readiness.It will (they hope) show how ROSI increases as the effective responsetime to a security incident decreases.

Zur Startseite