Finally, a Real Return on Security Spending

The data itself was also a concern. The CERT data used in CMU's modelsonly went to 1995, for example. The model for types and frequency ofattacks has changed since then. And while Hoover, @Stake's database,provides gritty details about security holes in software, they aregritty details only from companies willing to participate. Is thatrepresentative?

In risk management parlance, the actuarial data is quite green, andCIOs bemoan that fact. The rub is, you can't just collect data aboutsecurity the way you can about auto accidents. More CIOs must agree todisclose detailed data about the state of their own security in orderto build a portfolio of numbers that will test the earlytheories.

CIOs want proof, yet they don't want to be the ones providing the datathat will improve the science. Those collecting data have promisedprivacy in exchange for the knowledge of what the enterprise isspending on security, but it's slow going getting recruits. "At CERTwe've protected confidentiality for 12 years. But it's so hard becausethey keep [data] to themselves," says Jim McCurley, technical staff atSoftware Engineering Institute. Despite all this, security expertssuch as Georgetown's Denning believe that those studies are thebeginning of a golden age in information security, with the potentialto change every aspect of securityfrom how it's built, to how it'sperceived in the enterprise, to how it's paid for.

Such research could set off a chain reaction. First, ROSI numberscould be used to convince executives to invest in security, therebyspurring the development of new technologies and the hiring of moreknowledgeable security workers.

Then, as the studies are repeated and improved, insurance companiescould use the ROSI numbers to create "hacking insurance," withadjustable rates based on what security you employ. Dave O'Neill willbe one of the people writing those insurance plans over the next year.Currently, as vice president of e-commerce solutions, he writes plansfor general e-commerce insurance for Schaumburg, Ill.-based ZurichNorth America. Today, he confesses, the rates for such plans aremostly set by guesswork. Zurich bases its premiums largely on a58-question yes-or-no survey, with questions such as "Are securitylogs reviewed at least daily for suspicious activities?"