Information Security Matters: What Is Information Security Worth?

   ISACA Journal Podcast:  What Is Information Security Worth?

I deliberately chose a title that poses a provocative question. By itself, it is unanswerable without some refinement. Whose security? From what? For what? How long? And what exactly do we mean by worth?

In some instances, the value of security is quantifiable. For example, according to one source, the US military spent US $610 billion in 2017, while Russia spent US $66.3 billion.¹ That makes the US precisely 9.2 times more secure. Right?

Well, perhaps not. There are times when precision is the enemy of accuracy and maybe even truth. The underlying fallacy is that the amount spent equates to the amount of security obtained. Perhaps the Americans can just make the rubble bounce 9.2 times higher than the Russians. Or maybe the Russians are simply more confident.²

Risk Assessment

This has relevance for information security in that it does not necessarily follow that those organizations that spend more on securing their information resources are more secure against the misuse of those resources. The measure of information security must take into account the value of the resources, the nature of the threats the organization faces, the effectiveness of the countermeasures implemented, their ability to detect breaches and their responsiveness when such breaches do occur. In other words, it depends on the risk.

In that case, is a risk assessment the appropriate method for determining the value of information security? I do not think so, but the idea is worth exploring. It is often said that something is worth what a buyer will pay for it. That may be so, and there is also an elemental logic to the inverse concept: The security of information is worth what someone would pay not to lose it, to keep it secret or to prohibit a bad guy³ from playing with it.

Unfortunately, the simplistic techniques used to assess risk based solely on the impact of an incident multiplied by the probability of expected incidents per year should give no one much confidence in the results. For one thing, this approach merely multiplies the unknown (cost) times the unknowable (the number of events per unit of time). For another, what is the magic of multiplication? Why not impact^probability? Or probability^impact? Or any other mathematical formula an analyst would like to use? At best, we can say that risk is a function of impact and probability, but why limit it to these variables? Why not include credibility, scale, duration, mean time to failure, mean time to repair, mean time to detection and a host of other factors?

Moreover, risk assessment is a faulty method where the consequences of a negative event are so severe that consideration of the number of instances over time understates the risk. Successful cyberattacks, for example, occur relatively infrequently, so any calculation that includes probability will, in all probability (intentional wordplay), be misleading.

Worth in Qualitative Terms

Perhaps we do not need a quantitative measure of the worth of information security. Perhaps a fuzzy,⁴ qualitative statement of value in terms that everyone understands will do just as well. For example, we can express the temperature subjectively as well as numerically; a person does not need to know that it is 35° C (95° F) to say that it is hot. In the same way, we can establish a qualitative scale for information security from worthless to priceless. So, in any given enterprise, we might say that information security is valuable, important, essential or indispensable, in an ascending sequence.

Yes, we could, but why would we want to do that? For that matter, why would we want to place a value on information security at all? By itself, the statement “Information security is very important,” while true, lacks both precision and meaning. It does take on significance if the sentence is completed: “Information security is very important compared with….” Is the value of information security greater or lesser than, say, sales, cost reduction, hiring or product development? The relative answer can be and often is translated into organizational priorities that, in turn, determine the ability to secure information resources.

The Worth of Security Activities

But maybe we are asking the wrong question when we try to place a value on information security. Another question may be more apt: What are the activities of information security professionals worth? If there is no direct correlation between how much an organization spends and the security it achieves, can we see more correspondence with the actions of its people dedicated to keeping information resources safe?

Let us assume that the budget for information security is spent on technology and salaries (or outsourcing, which is simply salaries at one remove). It is fair to evaluate whether those salaries are being paid to people who are performing the most effective tasks and, if so, whether they are doing them well. Determining the first is a task for management (in this case, the chief information security officer [CISO]) with a role to be played by auditors. The second is the purview of the manager of those people, i.e., the CISO. Since the CISO assigns the tasks, can he or she appraise whether the staff are performing the right ones without being self-referential?

Evaluating the CISO him- or herself is even more difficult. Leaving aside the dearth of credible metrics, who in the organization is capable of measuring the value of a CISO? The worst way to state the CISO’s value is on the basis of the number of breaches the organization experiences. For one thing, this places the burden of proof on the criminals; for another, the CISO of an organization facing greater risk is more likely to encounter successful attacks than one in a low-risk business. Money center banks and defense contractors are larger targets than, say, toy manufacturers.

Some organizations outsource some or all information security activities. Implicitly, they have placed a financial value on those tasks. I am not arguing for or against outsourcing; rather, I am posing a question. Is the cash value for an activity an accurate reflection of its worth? If so, would senior management hire its current staff if a cheaper alternative were available? On the other hand, if the financial metric is insufficient, what added value do information security professionals bring to their enterprises?

Value and Rewards

All this would be a theoretical discussion except that the quality of information security depends on it. The greater the worth of information security, the more senior management is likely to invest in it, depend on it and base strategic decisions on the assumption that information resources are secure within the organization’s risk tolerance. Greater worth is also tied to greater rewards—salaries, respect, budget and career progression.

So, I end this column not with an answer, but rather a challenge. Information security professionals, from the new hire right out of university to the CISO, should find a way to measure and articulate the worth of what they are doing for their organizations. They might determine that they are undervalued, but careful! They may find out that they are being overpaid.

Endnotes

¹ Tian, N. et al.; “Trends in World Military Expenditure, 2017,” Stockholm International Peace Research Institute (SIPRI) Fact Sheet, May 2018, http://www.sipri.org/sites/default/files/2018-04/sipri_fs_1805_milex_2017.pdf
² In that case, Andorra must be the world’s most secure country because “They spent four dollars and ninety cents on armaments and their defense. Did you ever hear of such confidence? Andorra, hip hurrah!” From a song called “Andorra” by Malvina Reynolds and Pete Seeger, USA, 1962.
³ Technical term.
⁴ Perceptive readers will realize that I am edging cautiously toward discussing fuzzy set theory. In an overabundance of caution, plus my proven mathematical inability, I am not going there.