Intel IT developed a model for measuring Return on Security Investment (ROSI) in our manufacturing environments that produces a much higher level of accuracy than other methods currently available. Our model has enabled us to make business-driven decisions about security programs, resulting in savings in excess of USD 18 million per year in avoided losses.

Whitepaper now Available! Measuring the Return on IT Security Investments

Quantifying value for security programs is difficult at best. Intel successfully developed and employed a method to measure the value of security programs across our worldwide factories. Although not the silver bullet to measure all security programs, it does show in some circumstances, value can be quantified to the level needed to make sound business decisions.

This is one of many different methods which Intel leverages to determine value of security programs. The difference is being able to tie in hard numbers for prevented losses and the ability to predict future impacts with reasonable accuracy. Other available methods rely on more qualitative descriptions of value and lack a dollar and sense measure. Although no single methodology fits all situations, Intel has found a niche for this insightful metric which is an empowering view of security value.

Other related blogs:

Practical Aspects of Measuring Security

Getting a Return on IT Security Investment

Managing the Effort to Measure Security

The Problem of Measuring Information Security

The Four Dirty Questions of Measuring Information Security

Ethics represent the very cornerstone by which any security organization is built. Without them, a security team is doomed. They will not be respected only feared, they will not be supported only ridiculed or ignored. It is a downward spiral of failure for security organizations practicing unethical behaviors. Management and customers will lose faith, leading to a loss of funding, access and representation. Resources, tools, and overall capability will diminish, leading to loss of effectiveness and value, further advancing the loss of faith by management and customers. Concealment, inconsistency, indifference, or treading in the gray areas of ethics is just prolonging the inevitable trip on the downward slide to defeat. So how can it be, many security professionals have a casual attitude and apathetic commitment toward ethics?

I have been reading some disturbing stories about security professionals being unethical and in some cases fired or arrested for their activities. They stories aren't hard to find. Trusted security people breaking into systems and networks, deciding not to report criminal activities, or ignoring inappropriate activities to avoid complications are common examples of poor ethos. People violating policies they are employed to enforce and uphold is downright despicable. In many cases, what are worse are the comments left by readers, condoning inconsistent behaviors on behalf of security. Comments like "pick your battles", "follow your conscience", or you should only be ethical if others are, is very upsetting.

Reader Beware

I am a fanatic about ethics. I firmly believe ethics, following a code of conduct, is the foundation of every professional security organization. Without consistent ethical behavior, a security team is destined for failure, will open the organization to increased liability and sour future investments in security.

Okay, let me be the first to admit, I have it easy. The security professionals I have the pleasure to know and work closely with are of the highest moral caliber. I am fortunate to work in an organization which embraces the principles of ethics. We derive our support from the corporate principles which are ingrained within the company as a whole and are driven out to all corners. My company (I am a shareholder too) spends time to train, discuss, and reinforce ethics with all employees.

I support ethics in all vocations, but some are more important than others. Security personnel must be held to a higher standard, just as judges and law enforcement must be viewed as incorruptible. Ethics must also reign supreme in financial and medical industries as well. Nothing less is acceptable. We too, as security professionals, should be put under the microscope and make firm commitments to consistency and the highest level of behavior. Our organizations place trust and faith that we will be honest, capable, and perform our duty in an unwavering manner.

Intel's Security Operations Center - Code of Conduct

When I spun up Intel's Security Operations Center, every employee was trained on ethics and we developed a Code of Conduct to insure the expectations were clear and as a team we would all conduct ourselves in a conservative manner.

Intel's Security Operations Center - Code of Conduct

1. Provide diligent and competent service to principals

• Provide timely, professional, and productive response to our customers, peers, vendors, business partners, and management

• Act honestly, justly, responsibly, and legally

• Act impartially to all groups, persons, and organizations

2. Protect and conserve Intel property, resources, and reputation

• Preserve and protect the value of corporate systems, applications, and information

• Operate fully within the law, observe corporate policy, and align efforts with standard operating procedures

• Disclose waste, fraud, abuse, and corruption to appropriate management or oversight bodies

3. Promote and preserve company trust and confidence of the team

• Take care not to injure the reputation of the team through malice or indifference

• Be truthful and accurate in representation and all communications

• Respect the trust, access, authority, and privileges the company grants you

• Promote, comply, and reinforce company security policies, procedures, and intentions

• Avoid conflicts of interest or the appearance thereof

Everyone is ethical, right?

Ever ask somebody if they are a good person or ethical? I will bet you will hear some variation of the same answer, "yes. Of course I am!". How many people openly admit or believe they are not ethical? So are you? Yea, exactly what I thought you would say.

So, Mr/Ms Ethical, you wouldn't be averse to answering a few ethics related questions? These are a subset of questions I ask when delivering the ethics class to our Security Operations Center. They should be easy for an ethical security minded professional such as yourself...

• 1. You are conducting a confidential investigation of Employee ‘A'. An employee outside the team, asks "Are you investigating Employee ‘A'?"

You Answer:
A. Yes, we are
B. No, we are not
C. Maybe
D. I'm not sure/I don't know
E. Other: _____

• 2. Policy prohibits any team member from installing software on Server ‘A'. In an emergency situation, senior management instructs you to install a critical piece of software on Server ‘A' to benefit the company.

You cite policy and:
A. Install the software
B. Refuse to install the software
C. Document the request and install the software
D. Document the request and refuse to install the software

• 3. You are aware state law prohibits any team member from removing software on Server ‘A'. In an emergency situation, your management instructs you to delete a critical piece of software on Server ‘A'.

You cite state law and:
A. Delete the software
B. Refuse to delete the software
C. Document the request and delete the software
D. Document the request and refuse to remove the software

• 4. Your manager instructs you to do something which is contrary to normal operating procedures. What do you do?

You cite the normal operating procedures and:
A. Do what is asked and report the incident to senior management
B. Refuse to do what is asked and report the incident to senior management
C. Document the request and do what is asked
D. Document the request, refuse to do what is asked, and report the incident to senior management

Life is vague. Ethics don't need to be.

We all find ourselves in unique circumstances which are complicated and tricky. Applying a code of conduct illuminates the right ethical path. Allowance of ‘flexible ethics' and ‘gray area' practices are ultimately self destructive and leads to instability and demise. Make a stand.

So what are the answers to the above questions? Well, as we all indicated we are ethical, their really is no need for me to provide the answers. We all know them.

Enough fluff, smoke, and flash: get to the point. Why have security?

At the end of the day, it is all about loss. If you don't like experiencing loss then you must do something to avoid, minimize, or control it. Welcome to the world of Security.

Let's first get something out of the way. If you are seeking to eliminate all loss, I admire you enthusiasm, but you are out of your mind. Totally eliminating loss would be wildly expensive and in most cases impossible. How much would it cost to eliminate all auto theft in the world? Much more than is feasible, as just about any solution you propose would have some weakness and require additional measures, which in total would exponentially increase the cost as you near 100% effectiveness. It would become more cost effective to find a better replacement for cars, and destroy them all, rather than prevent all future thefts. Optimal security is not about 100% protection, rather a balance of spending, prevention, and acceptable losses.

The Profile of Loss

Back to reality. Security is about preventing loss and some would argue managing loss or the risk-of-loss. Well, it is splitting hairs, but I would agree with both as they are one in the same. When we talk about loss it encompasses all the tangible costs and impacts as well as the intangibles of missed opportunities, reputation, and goodwill. Only a few types of loss can easily be measured and most cannot easily be mentally grasped, much less quantified.

Security strives to prevent the ‘Loss' of reputation, financial assets, customer goodwill, operations uptime, computing resources, personnel productivity, intellectual property, liability protection, and the list goes on. Some of these are obvious such as a worm which brings your operations to a grinding halt for two days. Others are not as obvious. Losing Personally Identifiable Information (PII) of customers would open the liability of lawsuits, potentially incur governmental fines, tarnish the corporate reputation, sour customer goodwill, and invoke long term recovery costs. Failure to meet Sarbanes-Oxley requirements may result in and having to cope with a CFO indictment and the associated difficulties of finding a temporary replacement while your executive spends an extended vacation in a federal penitentiary. A single security incident can inflict many different types of losses which in turn may vary wildly in overall impact.

The Evolving Security Landscape

All security programs exist in an evolving state. The enemies get smarter, move faster, and grow. The technology by which information flows rapidly changes. The very organization being protected and the assets within evolve over time. Regulations, customer expectations, experts' recommendations, and industry best-known-methods morph on a continual basis at a dizzying rate. The effectiveness and efficiency of security varies due to these external drivers as well as internal reasons.

So what does security look like over time? What are the key indicators? Here is my perspective. An organization will experience loss, period. If people are involved and any type of value is inherent, loss is expected. No surprise here. To get a better insight, let's apply the Greed Principle.

Greed Principle

From a security perspective, greed is a double edged sword, both good and bad. Greed drives people to do bad things and break the rules for their benefit, but good as it gives continuing opportunities for security to catch these people. The Greed Principle simply states "Losses will increase if unchecked". This principle manifests itself in many different ways but basically, if someone is successful at finding a way of stealing $10 from you, they will continue unless something intervenes. In fact, they will increase the amount they steal over time. If it worked for $10, why not try $15 and so on. As greed is a strong emotional driver for the bad-guys, it provides more and more opportunities to the good-guys to detect them. Hence ‘greed' being both good and bad.

The greed cycle may be disrupted. Intervention may be in the form of additional controls, prevention, deterrence, social pressure, or direct interdiction just to name a few. Many different mechanisms can influence an attacker. Ultimately, unless something changes, greed guarantees losses will increase over time.

Instituting a decent security program is a surefire way to disrupt the unchecked losses. Even a completely mindless security measure can have a great impact. Ever wonder why sales associates say ‘hello' to you when you enter a boutique shop? Even if they don't have time to help you directly, they will make eye contact, greet you with a smile, and say hello. Is this for better customer service? Well yes that is one side benefit, but the primary function is to reduce the shoplifting. Most small stores don't have the money to maintain a security staff and shoplifting can be a major problem (last I checked, retail prices are ~15% higher to cover the costs of security and residual losses). The simple recognition of someone entering a store has shown to dramatically reduce the chances they will steal. In larger retailers, where they have a security staff, you may not get such a greeting (unless you wander into a predatory commission sales area).

The Security Maturity Model

Initial landing of a security program will affect the losses from attacks. But there is a price, namely the cost of security. Security spending bubbles before stabilizing in the maturity phase where it becomes more effective by lowering losses and more efficient by optimizing spending. Management usually has a firm hand in the reduction of spending, as they play an important part in keeping tension in the system.

So what do you get for your money? The amount of loss which did not occur, because of the influences of security, is the Loss Prevented. More loss prevented the better. But it is relative as the cost of security plays into the efficiency calculation. Basically the (Loss Prevented) - (Cost of Security) is one measure of value. A negative number is mostly unfavorable, indicating you are spending more on security than you are preventing. I wouldn't recommend that model unless what is being protected is irreplaceable (life safety, unique items, etc.).

Lastly, one other factor must be discussed. Sadly, the organization will still experience loss, regardless of how much you spend on security. This is Residual Loss. Nobody really likes to talk about this ugly fact of life. It is important. This is the gauge by which the organization determines what is acceptable.

Reasonable Expectations

Every security program must continually evolve to align to a changing landscape of attacker, methods, and alterations in the environment being protected. Over the long run, a good security program will get better and cost less.

I have rattled the ‘optimal security' saber before in previous blogs and it continues to hold true: Optimally, an organization should spend the amount of money on security which prevents enough loss to bring the residual losses to an acceptable level. Only management can decide exactly where the sweet-spot exists for any given moment.

Are you looking for that special gizmo in a box which will provide your organization a warm blanket of security? Buy it, plug it in, and viola! You are now secure. Fold up the tents and walk away, the job is done. Well, keep looking. Regardless of what some security vendors peddle to uninformed IT managers, it simply does not exist.

Security is an on-going process of diligence. The simple fact is, as long as the environment being protected changes, and the threats to that environment look for ways to take advantage, security must also adapt. No one product sufficiently spans the current and potential spectrum of attack vectors, nor does any one solution cover all aspects of technology and behaviors which may be exploited.

The booming growth of security products over the past few years can partly be attributed to organizations dumping money into the market. A common mistake of many senior IT managers was to invest bags of money under the false belief it was a one-time expenditure. As if security could be purchased in a box, installed, and the issue resolved. Especially in IT departments, people new to the realm of security apply IT thinking to the ‘problem' of security, expecting to find an engineering solution ‘fix' so life can move on. I can't blame them really, as most technology minded people deal with obstacles rather than opponents. An obstacle can be overcome. Engineers are great at going over, under, around or through obstacles. Find the right technology, gadget, toy, process, or application and the problem is solved so the diligent IT person can move on to the next obstacle.

Opponents, not obstacles

Well, security is not about obstacles, it is about opponents. Every security threat can be traced back to a person. That person, if malicious, has an agenda and an objective. Put an obstacle in their way, they will find a way to counter or go around it in the pursuit of their objective. In fact, the behavior of attackers is usually predictable, as they follow the ‘path of least resistance' to achieve their objective.

If you treat an opponent like an obstacle, you will be fighting a never-ending set of losing battles. One hole is plugged and the opponent simply adjusts to the actions and comes at you from another direction. It can degrade into a battle of attrition. The defense in this manner can only hope they ‘fix' enough things to make the attacker move on to another target. However, the cost of each ‘fix' is much greater than the cost for the attacker to adapt. For a dedicated attacker, the odds are in their favor, unless the target is willing to spend an inordinate amount of time and resources to continually fight the ‘obstacle' battle in hopes that eventually the attackers will tire or find an easier target.

I plan on going more in depth on this Attacker -> Methods - > Objective model in another blog and may go into great depth in a whitepaper, time permitting. Traditional IT thinking, when applied to security, is an endless treadmill consuming time and resources.

Feel the Pain

Be careful what you wish for. If senior management maintains a simplistic view of security, then many problems are sure to follow. Time to bring on the pain. Choosing to adopt the deceptively straightforward �obstacle� defense is an unpleasant education in futility as new issues quickly replaces ones just remedied. It is both costly and frustrating. Losses begin to tally and security spends increase as the organization is stuck in a routine of responding to each new type of attack. Management can get very aggravated at the continuing expense and interruption with such a poor strategy. From the perspective at the top, it is easy to blame the security staff and not obvious the lack of a comprehensive security strategy is the real culprit.

In this cycle, it is a safe bet management would not comprehend the strategic need to identify an optimal balance of security. Such viewpoints tend to distill the situation to a binary state, either the company is secure or it is not. Trying to argue a gradient or any other perspective may fall on deaf ears. Expect the commitment to be limited to short term security expenditures and no allowance for much in the way of sustaining costs or future additional costs necessary to mitigate new threats. Budget discussions can be frustrating; with management expecting a dramatic decrease in future security spending while those in the trenches are struggling just to maintain effectiveness against new types of attacks. The lure of an easy solution or product is very tempting, but nothing more than a mirage which distracts leaders and reinforces an overly simplistic way of thinking, leading the organization down a path of inadequate preparedness for sustaining needs of the future.

On the converse, if an organization maintains the perspective that an ‘opposition' exists, then an entirely different game is played. One which can be won or at least managed efficiently. The organization can implement a thorough defense-in-depth strategy which starts with Prediction. Predicting the opposition's objectives, capabilities, and most likely methods is the first step in applying a cost effective structure to Prevent, Detect, and Respond to attacks.

Cost of the Magic Box

If your organization is looking for the magic security box then it is suffering from the ‘obstacle' way of thinking. This will be costly. The security programs implemented under this way of thinking will most likely be rigid and have a short effective shelf-life. Many security initiatives will be in response to successful attacks and will be rushed into production. Stacking an increasing number of independent solutions weighs heavily on the computing infrastructure, complicating the very environment it is trying to protect, and sets in motion steadily increasing sustaining and support costs, with no end in sight. Bleak to say the least.

Management perception and strategy are very important aspects when evaluating the value of security programs. Security is not a snap-shot in time. Sure, buying a flashy product may fix a specific problem which cropped up, but the long term costs must be factored in. Will this product ever be End-of-Life'ed? Is their a different product which not only closes this gap in security but also provides broader protection against future issues? What are the real operating and sustaining costs? Will the product be maintained by the vendor and continually upgraded to address new threats?

The bottom line

When measuring security it is important to understand the threats, solutions, as well as the organization which everything will be applied. With all other factors equal, the value of a security product is greatly different in an organization with a comprehensive defense-in-depth strategy, versus an organization with a haphazard strategy with non-integrated solutions. No one product or service does it all. The attackers are dynamic and will adapt to an organizations defenses. Understanding the concept of ‘opposition', even embracing the idea, will thrust your organization ahead in this game.

Practical Aspects of Measuring Security

Security in a Box

The Four Dirty Questions of Measuring Information Security

Managing the Effort to Measure Security

Measuring security is very much a practical matter. It is important for an organization to understand the efficiency, effectiveness, and overall value in order to make decisions which lead to an optimal level of security.

History tells a tale

The industry has been witness to a recurring pattern. As companies begin to focus on security concerns the need to measure and understand the value proposition becomes increasingly important to make good business decisions. Many organizations jump into security based upon fears, uncertainty, and doubt (FUD) without the benefit of security value measurements. In classic knee-jerk reaction, some companies initially poured money into security programs and only when the dust settled did they begin to ask about the actual value and cost effectiveness of sustaining operations. As reality sets in they begin to ask, did this make a difference? Did I do too much? Why is the sustaining cost so high?

The maturity cycle takes over and the tough questions lead to the understanding they are not seeking a state of perfect security, rather a balance. Having sufficient security to insure zero negative impact from threats would be wildly expensive and most likely impossible. Too little security can allow unacceptable business impact and losses. So their must be a sweet-spot. This is where security metrics come into play, to help find the right balance and help leaders make the right decisions to attain it.

What is value?

We all know what value is, right? A quick check in the Encarta Dictionary will return:"the worth, importance, or usefulness of something to somebody". It is not limited to dollars or rate of return or some other finite indicator. In reality, it can be the absence of discomfort, compliance to regulation, satisfaction of key people, uptime, ability to seize opportunities, something tied to emotions, etc. Those who only seek to put a dollar sign on security value are missing the boat. Don't get caught in that tar pit. It will limit your visibility and undermine the accuracy of any analysis.

Who are these people and what are they asking for?

It may seem, to those in the security world, everybody wants to know the value. But it is more complex than that. Everybody wants it expressed in a different way, their way. Talk to a finance analyst and they will be demanding NPV (Net Present Value) or IRR (Internal Rate of Return) numbers. The friendly business analyst will prefer the *BV *(Business Value). The efficiency manager will be firm on CB and CE (Cost Benefit/Efficiency) ratios, while the product and service managers hold to the trusty ROI (Return On Investment) model. Savvy senior managers know to ask for overall ROSI (Return On Security Investment) numbers while mid-level operations folks live and die by the MTTR (Mean Time To Repair) and MTBF (Mean Time Before Failure) metrics. The list goes on, as auditors, compliance, corporate purchasing, etc. each has their preferred vernacular. Even the security researchers will tend to lean towards their expertise. It is easy to recognize those who have an economics, mathematics, and operations background, as they express their ideas in ways relative to those disciplines.

My advice is to ignore these people and their fancy acronyms. Express value in the most applicable and accurate way possible for the circumstance. It is hard enough just to do that! Keep it practical, keep it real.

Practical Aspects of Measuring Security

I look forward to sharing my thoughts related to IT business and management practices. I am interested in a variety of topics pertaining to the IT profession and the role of IT in creating value. We have been researching the topics of IT value and IT innovation for almost a decade, and that includes putting some tangible mechanisms in place for people to apply in their daily jobs, enabling better value creation through the use of IT. We (IT shops) have been so busy ensuring that the infrastructure runs smoothly, that customer requirements and expectations are met, that support is one click away, that we sometimes forget about a unique role that IT can play in a company by actually contributing to future value creation and business growth. In many cases we do it without acknowledging it, and so it goes unnoticed.

At the beginning of this past decade, our IT organization was challenged to measure the impact of IT's solutions to Intel's business results. So, with the help from Finance, we expanded our typical operational metrics to include those related to business impact, such as time to market for our products, capital purchase avoidance, throughput time, and others. We worked closely with our lines of business to quantify and measure improvements from IT solutions, and establishing better internal customer relationships. The data and results produced prove beneficial to IT and the customers of our solutions. We have also learned from the difficulties we encountered. For example, not every IT solution comes with a completed ROI. The lack of business value tools and understanding makes it difficult to get started. Speaking business benefit from an IT view requires common language and common indicators to gauge and value successful IT programs.

Now, more than ever, it is important that IT shops show that investment in IT will yield a positive business return that will be felt by the shareholders.

In future blogs I will share some of the methodologies we developed and continue to create in partnership with academia and industry fellow travelers, such as the IT Capability Maturity Framework (CMF).