ROI der IT-Sicherheit

New Qualitative Model Helps Measure Security Risk Reduction

23. Oktober 2003
Von Phebe Waterfield
Die Absicherung der Infrastruktur zahlt sich aus. Als problematisch erweist sich jedoch die konkrete Bezifferung des ROI der IT-Sicherheit. Phebe Waterfield, Analystin der Yankee Group, stellt ein qualitatives Modell vor, mit dem sich das verringerte Sicherheitsrisiko kalkulieren lässt.

60-minute exercise for key vendor and provider stakeholders helps reveal ROI

We receive many questions about risk analysis, how to demonstrate ROI for security solutions and show a solution is effective at reducing risk (an event that could result in financial loss or adverse business impact). This new Yankee Group model debunks the myth that risk analysis is a long process that requires an asset inventory, asset valuation and detailed vulnerability assessments. Qualitative risk analysis is the simplest method available for demonstrating ROI or reduction of risk (ROR).

The model, an exercise for key stakeholders, takes about an hour to complete. It is useful to vendors and providers looking to show product or service ROI, and is valuable to executives seeking a better understanding of their security risks and controls.

The Five-Step Qualitative Risk Analysis Model

Step 1: Define the scope and identify risks

Define the asset(s) you are protecting (such as your computer, application or network). Identify the risks to that asset in the areas of confidentiality, integrity, availability and accountability (these terms are defined below in bold). Prioritize each risk using a scale that makes sense to you, using designations such as high, medium and low. If you know the potential financial loss associated with that risk, you can assign a dollar amount.

Answer this question: "How critical is this risk?" rather than "Given the controls in place, how critical is this risk?"

Example 1: A small consulting company assesses the risk to their network: