Investments in cybersecurity tend to be fairly significant, so organizations continually seek ways to determine whether the investments were appropriate based on return. However, companies are challenged to apply and fit the traditional discounted cash flow methods to calculate a return on investment (ROI) and justify cybersecurity initiatives. Cybersecurity initiatives are even harder to justify than traditional IT initiatives using traditional accounting methods. Some state that cybersecurity initiatives are not investments resulting in profit; instead, they address loss prevention and mitigation of threats to the company’s assets. In part, this is accurate. However, in today’s world, with the severity of impact resulting from cybersecurity breach incidents, the argument should be supplemented to state that cybersecurity is on the same necessity level as any required infrastructure such as accounting, operations and IT functions to enable companies to do business.

Discounted cash flow methods are unable to quantify the intangible benefits that cybersecurity brings forward to companies. The focus of this article is to propose a nontraditional method to prioritize cybersecurity initiatives and develop a foundation for the return on (cyber)security investment (ROSI) with a method to quantify the intangible returns.

The Challenge

The perceptions and views of non-IT management toward cybersecurity are among the contributing factors posing the challenge to justify the expense of such initiatives. Examples of such views and perceptions are:

Security is not an investment. Cybersecurity is a risk prevention and mitigation investment. There is no technical guarantee to immunize companies from cyberattacks due to human errors and from those with malicious intent. Traditionally, the view of business management toward IT is that it is an expense and this view has been extended to cybersecurity initiatives.

Cybersecurity is a risk prevention and mitigation investment. There is no technical guarantee to immunize companies from cyberattacks due to human errors and from those with malicious intent. Traditionally, the view of business management toward IT is that it is an expense and this view has been extended to cybersecurity initiatives. Cybersecurity is an IT discipline. Cybersecurity is highly technical in content, and technical staffs generally have difficulty explaining to management, in layman’s terms, what the proposed initiatives are and how they might protect the core values of the company. Often, management equates cybersecurity with the IT function and responsibility for IT security is exclusive to the IT team. This is a fundamental flaw. Cybersecurity is everyone’s responsibility. The IT function must integrate cybersecurity into each of its initiatives. However, all business functions, IT and non-IT, must integrate cybersecurity into their initiatives as well.

Cybersecurity is highly technical in content, and technical staffs generally have difficulty explaining to management, in layman’s terms, what the proposed initiatives are and how they might protect the core values of the company. Often, management equates cybersecurity with the IT function and responsibility for IT security is exclusive to the IT team. This is a fundamental flaw. Cybersecurity is everyone’s responsibility. The IT function must integrate cybersecurity into each of its initiatives. However, all business functions, IT and non-IT, must integrate cybersecurity into their initiatives as well. A communication gap exists. The communication gap between IT and the business community is a contributing factor in the underestimation and lack of appreciation of each other and the value and sensitivity of the duties and responsibilities of each. Often, the business community lacks a clear understanding of how IT applications, technologies and services may contribute to the company’s business objectives in quantifiable and tangible ways. On the other hand, the IT community fails to link technology solutions to the primary interests of the business to increase revenue, expand market share, enhance customer satisfaction and allocate resources. This symptom arises when IT operates in a vacuum and in the absence of IT governance.

The Big Picture of ROI

The lack of appreciation and understanding between the business and cybersecurity communities is a two-way street. Cybersecurity staff must be able to understand and accommodate the sensitivity of the business function needs. As a matter of fact, cybersecurity staff members need to reach out to the business community and engage it in the cybersecurity justification of its initiatives. It is worth mentioning that the IT and cybersecurity communities often lack the necessary understanding of accounting disciplines to enable them to establish a quantifiable basis to advance cybersecurity initiatives and justification.

The Analytical Hierarchy Process (AHP): Pairwise Comparison and Establishing Priorities AHP starts by refining a complex problem into smaller elements. It then organizes the elements into sets of homogeneous clusters, which are subdivided into more detailed sets until the lower levels of the hierarchy are established. This structure represents the total view of the model (e.g., enterprise) being studied. AHP helps its users deal with complex problems (e.g., cybersecurity initiatives justifications) by representing the enterprise in hierarchical form and identifying the major elements within each level, depending on the level of detail required. The number and type of elements within each level in the hierarchy depend on the enterprise’s business environment. AHP compares any two elements in a given layer and measures the degree of impact on any element in the layer above it. The pairwise comparisons are repeated with every element in each level, starting from the top level and continuing downward to the lowest level of the decision model hierarchy. AHP helps establish priorities by asking the workshop participants to state the degree of impact of the pairwise comparisons of the element sets in each level in the hierarchy structure with respect to each of the elements in the next higher level. How to Calculate the Priorities (Pairwise Comparison) AHP uses a scale of 1 through 9 in the pairwise comparison to determine the dominance of each element with respect to the elements in the next higher level of every matrix. Calculating Relative Weights The criterion weight for this matrix is calculated using a commonly used approximation procedure by taking the geometric mean (average) of the entries in each row.

Is a security investment a business decision or a technology decision? Maybe before this question is answered, it is important to state that cybersecurity investments, in general, are viewed as technology decisions, when they are not. Cybersecurity investments should be looked at as business decisions supporting, protecting and sustaining the company’s objectives and competitiveness. The perception of cybersecurity initiatives has to overcome three hurdles:

The view that cybersecurity expenses are part of the IT budget and have to be approved through the overall IT budget Consideration of cybersecurity initiatives as equal to other IT initiatives and requiring approval by the company’s business management team using the same company internal procedure and guidelines used for IT The inability to quantify the intangibles. A substantial part of the realized benefits from cybersecurity initiatives is intangible. When performing an ROI analysis, it is critical to identify and quantify the intangible risk factors and benefits.

Cybersecurity Investment Decision Model: Rationale and Approach

What companies require for cybersecurity investment justification is a creative process to bridge the gap between business and cybersecurity communities, supported by a methodology to quantify the intangible benefits and risk.

The proposed investment justification process is based on examining recommended cybersecurity initiatives and quantifying the impact that such initiatives may have on the established company business objectives.

The developed methodology and approach described is based on the analytic hierarchy process (AHP) technique (see sidebar).1 Through this method, the company will be able to build a cybersecurity decision model (CSDM) that reflects company business objectives, critical success factors (CSFs), business challenges, business enablers and proposed cybersecurity initiatives. Through AHP, organizations are able to quantify and compare the degree of impact of the proposed cybersecurity initiatives on any of the company-stated objectives and on any attribute in the CSDM.

Determining the portfolio investment and value of cybersecurity initiatives is highly correlated to company’s willingness to articulate the following:

The risk of potential cost of individual security incidents that the company is willing to bear

The level of risk that the company is willing to accept when running its business

The company’s recognition that cybersecurity investment ought to be mapped to the company’s business objectives, critical success factors and challenges

Planning, Designing and Developing the Nontraditional Method in Justifying Cybersecurity Initiatives

The key steps to implementing the process of the nontraditional ROSI are described in figure 1.

Facilitate Management Workshop

Step 2 in figure 1 is an example of a CSDM that is based on the nontraditional investment decision methodology for ROSI using the AHP technique. The CSDM is constructed through a series of steps in a workshop session using the AHP technique guided by the facilitator. The workshop participant team consists of representatives of company management from key operating departments. The rules of the workshop to construct the CSDM and perform the prioritization (AHP pairwise comparison) are collaboration and consensus building among the workshop participants.

Agree On Collaboration Approach

This is part of the norming process to build consensus and agreement among the management team through a workshop session. The rules of engagement of the workshop and method used should be clearly described by the facilitator and the expected roles and responsibilities accepted by the workshop participants.

Through collaborative efforts, the company expects management to buy in to the business justification of the cybersecurity investments and rationalize the strategic decisions they are making due to the enterprisewide nature of such decisions.

If the organization decides to implement any of the cybersecurity initiatives, which means it is committed to undertake the investment in funds, resources, schedules, risk tolerance, etc., the organization is required to develop a business case to substantiate the impact of its decision on the entire company through building consensus among management teams and seeking the support of the organization.

Develop the Company CSDM

The investment justification methodology proposed in this article applies to situations in which company competitiveness is examined, critical success factors are defined, and risk and challenges are identified. The objective of the CSDM is to frame the cybersecurity initiatives with justifications in alignment with company business objectives and governance.

The workshop participants will develop the hierarchical decision model, perform impact analysis and identify the portfolio of cybersecurity initiatives to examine, prioritize and implement. AHP is the technique used to facilitate and determine the degree of impacts and priorities of the proposed initiatives.

The beauty of AHP is that the managers of the enterprise can build their own and specific decision models with specific elements and priorities as they see fit for their company at that time.

Figure 2 is an example of a CSDM developed in a workshop setting where participants represent the major departments of the company.

The example illustrated in figure 2 consists of six hierarchical layers. The number of layers is determined and agreed upon by the workshop participants. The definition of these layers, and all of the elements within each layer, are left to reader interpretation for the sake of simplicity in this article.

The example CSDM layers depicted in this case are:

Goal—Reducing the severity and likelihood of loss and fraud Business objectives—This layer represents the cornerstone of the company establishment. These are the primary business objectives of the company. Critical success factors—These are the business processes that are essential to achieve the company’s business objectives. These processes have strategic and operational characteristics to achieve the enterprise strategy. The approach in identifying the CSFs is subjective in nature, but the collaborative approach of the workshop participants implies the objectivity needed. It is expected that the workshop participants will spend ample time brainstorming, identifying and agreeing on the processes that are of most importance in achieving the company’s business objectives. Finally, the participants will agree on the selected essential CSFs. Business challenges—This layer identifies the challenges facing the company. Simultaneously, these are the factors hindering the company from realizing the CSFs and, in turn, preventing the company from achieving its business objectives. Business enablers—These enablers are the opportunities the company would like to create in order to contain, mitigate and manage the risk posed by the business challenges. Proposed investment initiatives—These initiatives represent a cybersecurity program or projects that enable the attainment of the business enablers. These initiatives could be technical or nontechnical in nature.

At various times, enterprises will have their own model architecture where the number and type of stated layers and their attributes are unique to the strategy of the company as defined by the workshop participants.

In summary, the fundamentals articulated in this ROSI methodology and the development of CSDM are the following:

Establish the link between cybersecurity initiatives and the enterprise objectives to ensure the buy-in and support of company management.

Ensure the alignment of the senior management team with cybersecurity. This will elevate the cybersecurity initiatives to be an integral part of company governance.

Demonstrate that cybersecurity initiatives are protecting the enterprise from the risk of economic, reputation and productivity loss. It is essential to the company’s survival.

How to Interpret Impact Values

The AHP technique highlights the degree of influence or the impact the proposed cybersecurity initiatives may have on a given attribute within the hierarchy. Figure 3 illustrates that the examined investment option, continuous monitoring, threat detection and fraud, have the highest impact on the company goal of reducing severity and likelihood of loss and fraud.



View Large Graphic

Figures 4, 5 and 6 illustrate the established priorities of the examined and proposed investment initiatives.







Further details of the relative impacts and proprieties are found in figure 3.

It is important to mention that the proposed cybersecurity portfolio represents the best picture of the proposed investment to achieve the 100 percent impact for the established goal. If any of the proposed investments have not been undertaken, the company is at risk and the quantified risk is represented by the impact number. It is a company management decision to determine what risk exists and which risk it is willing to accept in the absence of any of the proposed cybersecurity investment initiatives.

The depicted impact (priority) percentages are examples only and are used for illustration of the ROSI methodology and its analysis. Companies will build their own CSDM based on their priorities and the strategy of their business.

Calculating the Financial Impact and Return on Investment of Cybersecurity Initiatives

After completing the prioritization of the elements of the CSDM, the methodology can be extended to the financial calculation of the cost and savings or cost avoidance of the proposed cybersecurity initiatives.

As demonstrated earlier in the prioritization of the cybersecurity initiatives, continuous monitoring, threat detection and fraud has the highest impact on the stated enterprise goal in the CSDM. The impact of cost and savings of such initiatives on all stated enterprise business objectives in the CSDM will be examined in the following exercise, which details the business objective to reduce security incident costs to illustrate the logic of costs and savings in implementing the continuous monitoring, threat detection and fraud cybersecurity initiative. From here, one must repeat and finish the exercise and apply it to the rest of the enterprise business objectives stated in figure 7.

Achievement of Benefit Through the Use of the Nontraditional Justification of ROSI

Several benefits and byproducts are expected through the use and performance of the ROSI nontraditional justification methodology, including:

Establishing a clear and dynamic link among company goals, objectives, risk factors and cybersecurity initiatives

Elevating cybersecurity planning and implementation to the corporate governance level with easier interpretation for nontechnical and technical personnel

Providing a communication platform for management team alignment and support

Developing a company business model that is well understood by the management team and other company entities

Identifying and prioritizing the interrelated elements where management is able to establish better planning, rationalization and deployment of initiatives

Quantifying the impact the proposed initiative might have on each of the company objectives and on the bottom line, the company goal

Seeking the support of the management team for future departmental initiatives and operational decisions

Conclusion

The credibility, accuracy and overall success of a nontraditional ROSI methodology depends greatly on management participation in and support of such initiatives, the experience and discretion of company management participating in the workshop, the acceptance of reaching decisions via collaborative efforts in a management workshop forum, and the broad acceptance of the nontraditional ROSI approach. Detailed information is not required to carry out the analysis and conclusion of the ROSI process and justification of cybersecurity initiatives. The approach is a process that can assist company management in performing business analysis and justification based on company objectives and business processes and easily link cybersecurity to enterprise governance. Management can make great use of this process by determining investment opportunity contributions, payback and priority for each one of the business objectives. The outcome of this methodology serves as a guide for investment and allocation of resources such as investment capital and HR. In addition, this proposed methodology helps ensure that management has communicated and developed a consistent understanding of rationale and support to approve and implement cybersecurity initiatives.

References

Putrus, R. S.; “The ROI of SOX: Sox Compliance Investments Can Boost Your Bottom Line,” California CPA, 1 May 2006

Putrus, R. S.; “Outsourcing Analysis and Justification Using AHP,” Information Strategy: The Executive, vol. 9, no. 1, Fall 1992, p. 31-36

Putrus, R. S.; “Accounting for Intangibles in Integrated Manufacturing,” Information Strategy: The Executive, vol. 6, no. 4, Summer 1990, p. 25-30

Endnotes

1 Saaty, T. L.; Decision Making for Leaders, Wadsworth, USA, 1982. Saaty, T. L.; The Analytic Hierarchy Process, McGraw-Hill, USA, 1980

Robert Putrus, CISM, CFE, CMC, PE, PMP, is an IT professional with 25 years of experience in senior management roles, program management, compliance services, information systems and management of professional service organizations. He is experienced in the deployment of various cybersecurity frameworks and standards. Putrus has written numerous articles and white papers in professional journals, some of which have been translated into several languages. He is quoted in publications, articles and books, including those used in masters of business administration programs in the US. He can be reached at robertputrus@cox.net.