Over the years, I’ve counseled numerous information security leaders on how to assign a monetary value to a security solution. It’s important to be able to speak in terms of protecting asset value because that is the language of the board of directors and other executive leaders who must approve a significant expense.
In many of these organizations, the security team has found a problem or discovered a serious vulnerability and they automatically think, “What’s the solution, what should we have in place?” They go out, do an RFP and buy a solution which they put in place to fix one particular problem. They never really take a good risk-based approach of the issue. What ends up happening is that the organization spends a dollar to save a nickel.
I look at the situation from a different perspective and ask, “Do we have the basics done first?” In information security, as in any effort, you’ve got to have the basics down before you can excel in what you are doing.
How you do that is by having a good Information Security Program inclusive of data and asset classification. This means you are going to have asset value labeled, you are going to have your data classification done. You are going to know where the crown jewels are in your organization so that, if you are looking at buying a new security solution, you can put an asset value to it and say, “What is this solution going to be protecting? Is this specific product expensive versus what I’m trying to protect everything from?” This enables you to look at the decision a little bit more quantitatively.
First, some basic terminology
Let’s review some basic terminology and how financial values are calculated.
Asset Classification – In terms of information security, assets encompass data, the hardware which processes it and the media on which it is stored. Asset classification is the process of grouping assets according to the level of impact to the organization if confidentiality, integrity or availability is compromised.
Data Classification – Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity (e.g., impact of applicable laws and regulations). For example, data might be classified as public, internal, confidential (or highly confidential), restricted, regulatory, or top secret.
Asset Value (AV) – Coming up with an accurate valuation of an information asset is a complex task that is best left to the owner of the asset. One measure of an asset’s quantitative value is the replacement value—how much it would cost to acquire the asset today. The replacement cost of a piece of hardware is easy to determine; for data, not so much.
Exposure Factor (EF) – This is the measure or percent of damage that a realized threat would have on a specific asset. Another way to look at exposure factor is how wide the loss is, or how many people/records/assets are affected. For example, a data breach might expose 10,000 customer records.
Single Loss Expectancy (SLE) – This value is calculated by multiplying the Asset Value by the Exposure Factor. Say that a single customer record has a quantitative value of $275. If 10,000 records are breached, the Single Loss Expectancy is $275 x 10,000, or $2,750,000.
Annual Rate of Occurrence (ARO) – The ARO is the ratio of the estimated possibility that the threat will take place in a 1-year time frame. The ARO can be expressed as 0.0 if the threat will never occur, all the way up to 1.0 if the threat will always occur. For example, the ARO for a workstation virus might be set to 1.0, whereas a power outage to the network operations center that might occur once every 4 years would have an ARO of 0.25.
Annual Loss Expectancy (ALE) – This value is the product of the annual rate of occurrence (ARO) and the single loss expectancy. Suppose you expect that a workstation will be infected with malware, and the cost to remediate the problem is $25,000. For an annual rate of occurrence of one, the annualized loss expectancy is 1 x $25,000, or $25,000.
The formula to calculate ALE is as follows:
AV x EF = SLE
SLE x ARO = ALE
Is the proposed solution worth the financial cost?
If you do the basics, understand your AV and EF, and calculate the SLE and ARO, then you can discern the value of putting funding into a particular solution based on your ALE and risk tolerance. Basically, if the annual cost of the solution is less than the ALE – which the solution must reduce or eliminate – then funding the solution seems to be worthwhile.
If you can put those numbers together quantitatively, that’s going to give you a really good benchmark to go to your board or your senior leadership team and ask for funding for a particular solution. Or, to justify the cost for a particular solution, it helps you explain why you’re spending money in a particular area as opposed to another. Every organization has different risk tolerance and it’s important to make sure you’re aligned with what your organization’s tolerance level is.
It may well be that the calculated ALE is within your tolerance of acceptable financial loss as an organization. Then maybe you don’t need to put a security product in place at all. On the other hand, if the ALE number is high, then it might be worth looking at deploying a best-in-class product, or something that’s really going to be tailored to mitigate that risk. It all comes down to your organization’s tolerance for risk.
It’s worth noting that these loss expectancy values do not include your other fiduciary responsibilities such as incident response, regulatory fines, breach notifications, credit monitoring for customers whose personal data was compromised, etc.
The end result
Once you’ve gone through the exercise of looking at asset values and loss expectancy, and after you’ve done your RFP and vetted out other vendors, you should have some sort of dollar value assigned to the security solution that you are thinking of acquiring. You’ve got a justifiable example, with meat on the bone to actually show why this product or this solution is viable. You can take that to the board for discussion and/or approval. You can give the reasons why you want the solution and how it affects the board and the company, and what you’re doing to help protect and strengthen the security posture of the organization.