Symantec.com
Partners
About Symantec
cartCart
  CIO Digest Logo  
  Current Issue
 | 
 Back Issues
 | 
 Subscribe
 | 
 Advertise
 | 
 Online Only
 | 
 About
 | 
 Contact

David Jordan, Chief Information Security Officer, Arlington County, Virginia

Macro or Micro?

The Economics of Cybersecurity

David Jordan, the Chief Information Security Officer (CISO) of Arlington County, Virginia, knew county employees received a lot of spam. What he didn't know was just how much the 125,000 unwanted daily messages cost the county of 200,000 people. So he sat down to figure it out by following a single message's path.

"The average employee takes about three seconds to delete an unwanted email. He sits down. He looks at the screen. He opens it up, reads the subject line, and decides that it's spam. Then he hits the delete key," explains Jordan.

Since Jordan knew how many county employees there are and what the average employee salary is, he computed a loss figure based on all the variables, including how much time each employee was wasting on a daily basis and how much that time was worth. The final number wasn't surprising, he says.

Jordan estimates unfettered spam costs the county at least US$1 million per year. That estimate is probably low, he says, since his scenario doesn't take into account the fact that not all employees delete spam. Some open the messages and follow links; even worse, some inadvertently download malware or viruses.

While Jordan can tell you how much he thinks he's saved, he can't provide a complete return on investment for the US$50,000 Symantec Mail Security 8260 and 8160 appliances he bought to reduce the county's spam. He also can't give an accurate number that indicates how much he's saving with Symantec's AntiVirus Enterprise Edition. There's no question he made back his investment on all three products quickly, but true cost savings are difficult-if not impossible-to measure accurately, and thus may never be quantitatively known.

Must-do security

That doesn't sit well with many business executives, even though they know there's little they can do about it, says Robert Richardson, editorial director of the San Francisco-based Computer Security Institute, a professional organization for computer and network security professionals.

"Today, an increasing number of IT and IT security managers are being asked to make an economic argument or what some might call a more business-oriented argument for IT security investments they want to make," says Richardson, who recently completed a study detailing the types of metrics organizations are using.

According to his study, 42 percent of respondents use return on investment (ROI) as the main valuation metric, while 19 and 21 percent, respectively, say they use net present value and internal rate of return.

Jim Karvounaris, head of Global Information Security for Australia and New Zealand Banking Group Ltd., has a different strategy: He takes a risk-based approach. Karvounaris, who spends about three percent of the IT budget on information security, which includes products such as Symantec's Storage Foundation, AntiVirus Corporate Edition, and DeepSight Alerting, says purchases are made based on loss potential-how much the company stands to lose if a security breach occurs.

"We've got our own yardsticks. On the consequences we would say, 'If this risk or security breach occurred, is the consequence insignificant? Is it minor, moderate, major, or catastrophic?' We put monetary values against those," he explains. "Catastrophic would be something like, 'Could we lose the bank? Is there a potential loss of over AUD50 million (about US$38.3 million)?' By using those metrics, we can come up with an overall risk rating to justify the risk that we're trying to address."

1 2 3 4 next>>


Article Finder
>



TOP ENTERPRISE LINKS

ENTERPRISE RESOURCES
Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2007 Symantec Corporation