How do you measure the value of reduced risk?

“So how do you measure the ROI from reduced risk?”

I was asked that question during a podcast a few weeks ago. It’s a great question, but with a less than satisfying answer. The value of reducing risk is nothing more than the estimate of the cost of an event times the estimate of the chance of an event in any given year.

I’d like to say it’s more than that but it’s not.

Security is an area where this ROI calculation comes up a lot. How can a CSO justify the cost of a security initiative without some way to calculate the cost to the organization if there’s a security problem? My response to that comment was to point out that’s why it’s a “C” level and not an “Associate” level job. Making that estimate isn’t easy, but it does come down to an estimate.

Now more often than not we see justifications for security initiatives using what I call “the sky is falling” strategy. “If it goes bad the company could go under so no amount of money is too much,” says the tinfoil hat-wearing security folks. Yes, but no, that’s not the way a financial decision maker would look at risk. The more rational sees it as an insurance question. You’d spend $1 to insure your car but if the cost were $1M you’d go without insurance. Okay, now we have a range.

Insurance is a good way to think about risk tolerance. Here in South Florida, where the drivers are both notoriously bad and outrageously litigious, insurance on an automobile worth $30,000 would easily cost $3,000 (or more) per year. That means insurance companies are roughly guessing a 10% chance in any given year of a $30,000 loss. More likely they’re assuming 1-5 odds of a partial loss in any given year. No surprise. The picture in this article is our analyst Cameron Marsh’s car after an incident on 95 north in Miami. The person who hit him had almost no insurance. At least he saved his golf clubs.

So how do you estimate the value of reduced risk?

Start by making a measured estimate of the cost for a typical security incident. What would it cost you to recover from a ransomware attack or data breach. Add up legal, customer notification, and other costs. Now estimate the odds in any given year of this event happening. It’s a guess, so make your best estimate. Multiply the two numbers to get an expected value for an event in any given year. If you’d like, add a little bit for “reputational” cost but don’t go crazy. TJX for example had a big data breach years ago with no impact on sales. Spend no more than this number to protect your organization.

Be clever.

Now that you know the number think about how you can best satisfy the problem. Building bigger walls may not be the best approach. One organization I know put a server for non-critical information data outside their firewall and simply rewrote the image on that server each night. No need to add expensive security when a brute force approach could be effective.

Here at Nucleus Research, we use a similar approach to company laptops. Every analyst backs up their information regularly. If someone has an issue (it’s very rare) we toss the laptop in the trash and take a spare from the back room. The time to fix a problem is not worth the lost productivity.

Calculating the value of reducing risk is easy. The hard part is making rational estimates for the expected cost of an event and the chance of an event happening in any given year.