Baseline columnist Paul Strassmann offers some insight on the topic and suggests three ratios to gauge security returns. The discussion goes beyond the worst-case scenario approach where you try to predict lost revenue from a security attack to cook up a return.
Strassmann says you can tease out security ROI by looking at security spending vs. overall technology spending; lost employee time against information security outlays and the impact of cyberattacks on employee productivity.
These are 3 ratios:
• Compare information security spending vs. total I.T. spending. If security spending exceeds 10%, your business architecture is probably poorly designed to cope with attackers.
• Examine the value of lost employee time vs. your investment in information security. If the cost of your security investment is 200% or more of the value of employee downtime, you may be spending too much on security.
• Measure what impact cyberattacks are having on employee productivity. If you are experiencing a loss of 1% or more in productivity, review how you are protecting your information. For instance, examine the location of your firewalls to determine whether centralization of defensive barriers would give you greater protection.
Read full article here.