Finally, a Real Return on Security Spending

In 2000 and 2001, a team at the University of Idaho followed GeorgeParmalee's example. The team built an intrusion detection box, asecurity device that sits at the edge of a network and watches forsuspicious activity among users who get past the firewall. Incomingtraffic that follows a certain pattern is flagged, and someone isalerted to look into it.

The researchers then hacked the box, code-named Hummer. Their goal wasto prove that it's more cost-effective to detect and then deal withattacks using intrusion detection than it is to try to prevent themusing other means. The problem was assigning valid costs for thiscost-benefit analysis. For instance, what does it cost to detect anincident? What are day-to-day operational costs of security? What arethe cost consequences if you miss an attack?

The Idaho team, led by University of Idaho researcher HuaQiang Wei,began by culling research from all over. Then they combined what theyfound with some of their own theories, assigning values to everythingfrom tangible assets (measured in dollars with depreciation taken intoaccount) to intangible assets (measured in relative value, forexample, software A is three times as valuable as software B).Different types of hacks were assigned costs according to an existingand largely accepted taxonomy developed by the Department of Defense.Annual Loss Expectancy (ALE) was figured. ALE is an attack's damagemultiplied by frequency. In other words, an attack that costs $200,000and occurs once every two years has an ALE of $100,000.

To verify the model, the team went about attacking their intrusiondetection box with commonly attempted hacks to see if the costs thesimulation produced matched the theoretical costs. They did.

Determining cost-benefit became the simple task of subtracting thesecurity investment from the damage prevented. If you end up with apositive number, there's a positive ROSI. And there was. An intrusiondetection system that cost $40,000 and was 85 percent effective nettedan ROI of $45,000 on a network that expected to lose $100,000 per yeardue to security breaches.