Question

Your CISO has asked you to lead a Brown Bag lunch discussion about the costs and...

Your CISO has asked you to lead a Brown Bag lunch discussion about the costs and benefits of investments in security technologies. The reading assignment for this discussion is: Introduction to Return on Security Investment: Helping CERTs assessing the cost of (lack of) security.

You have been asked to prepare a short discussion paper to be used to spark discussion amongst the attendees. Your paper must address the following:

  • What is the ROSI calculation?
  • How is it used to evaluate cybersecurity technologies?
  • What are the limitations of this metric?
  • How can this metric be used to evaluate one or more of the technologies selected for study? (refer back to Week 6)

Post your three to five paragraph short paper as a response to this discussion topic. Include APA format citations and references as appropriate to the information used and the sources from which you obtained that information.

Reference

European Network and Information Security Agency. (2012). Introduction to Return on Security Investment: Helping CERTs assessing the cost of (lack of) security. Heraklion, Crete, Greece: Author. Retrieved from https://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security-investment/at_download/fullReport

0 0
Add a comment Improve this question Transcribed image text
Answer #1

ROSI:-

ROSI(Return On Security Investment) is an objective method of analyzing how much loss the firm has prevented from adopting preventive measures(security investment). For this, several components of risk need to be evaluated beforehand which includes Single Loss Expectancy(SLE) and Annual Rate Of Occurrence(ARO).

1. Single Loss Expectancy: It is the amount of money lost in the form of compensation made afterward towards the recovery of assets lost. There is no universal way to calculate ROSI and can be calculated differently in different situations. 2. Annual Rate Of Occurrence(ARO): It is the probability of the number of times risk occurs in a year. It is a crucial parameter for calculating ROSI. 3. Annual Loss Expectancy(ALE): It is the amount of monetary loss in a year due to a specific risk on a specific asset. 4.Mitigation Ratio: It is the percentage of risk which can be tackled by adopting a preventive measure.

ROSI = ((ALE * mitigation ratio) - cost of solution) / cost of solution

Limitations of ROSI calculation:-

1. The drawback of estimation: It's really very hard to estimate the annual rate of occurrence of risks as it varies year to year. It could be very large for one kind of risk to very small for another kind of risk. Estimations could be biased as per our perceptions of risk. The best way to deal with it is by analyzing the company historical data and then derive some useful insights from it.

2. Gordon and Loeb Model: Gordon and Loeb are the economists and they put forward the result of their study stating that increasing the security investment on a more valuable asset does not necessarily decrease its vulnerability to risks. according to their study “the optimal amount to spend on information security never exceeds 37% of the expected loss resulting from a security breach (and is typically much less than 37%). Hence, the optimal amount to spend on information security would typically be far less than even the expected loss from a security breach”.

ROSI metric should not be taken as a definite measure for estimating the security investments. Rather it should be considered as guidelines to prepare a more sophisticated model.

Add a comment
Know the answer?
Add Answer to:
Your CISO has asked you to lead a Brown Bag lunch discussion about the costs and...
Your Answer:

Post as a guest

Your Name:

What's your source?

Earn Coins

Coins can be redeemed for fabulous gifts.

Not the answer you're looking for? Ask your own homework help question. Our experts will answer your question WITHIN MINUTES for Free.
Similar Homework Help Questions
  • How can we assess whether a project is a success or a failure? This case presents...

    How can we assess whether a project is a success or a failure? This case presents two phases of a large business transformation project involving the implementation of an ERP system with the aim of creating an integrated company. The case illustrates some of the challenges associated with integration. It also presents the obstacles facing companies that undertake projects involving large information technology projects. Bombardier and Its Environment Joseph-Armand Bombardier was 15 years old when he built his first snowmobile...

  • CASE 20 Enron: Not Accounting for the Future* INTRODUCTION Once upon a time, there was a...

    CASE 20 Enron: Not Accounting for the Future* INTRODUCTION Once upon a time, there was a gleaming office tower in Houston, Texas. In front of that gleaming tower was a giant "E" slowly revolving, flashing in the hot Texas sun. But in 2001, the Enron Corporation, which once ranked among the top Fortune 500 companies, would collapse under a mountain of debt that had been concealed through a complex scheme of off-balance-sheet partnerships. Forced to declare bankruptcy, the energy firm...

ADVERTISEMENT
Free Homework Help App
Download From Google Play
Scan Your Homework
to Get Instant Free Answers
Need Online Homework Help?
Ask a Question
Get Answers For Free
Most questions answered within 3 hours.
ADVERTISEMENT
ADVERTISEMENT