ROI = Crown Jewel(s) [Cost of a Security Control – (Adversary Gain + Breach Response & Reputation Loss Expenses)]

Human ingenuity is always interesting to me, especially when we are attempting to change culture and perception in relationship to a strong security stance in an organization.  I was at an event this week where a respected colleague took the concepts of relevancy and ROI and married them together in a unique way to build an ROI case for preventative controls.  We’ve all heard the argument of ROI tied back to traditional cost of controls versus what is at risk if your crown jewels are compromised, such as your exclusive IP being stolen or downtime on an eCommerce site, etc.

In this case they identified their crown jewels as Personal Identifiable Information stored in their databases, which is quite large.  They found out what the average price was at that time, on the DarkWeb, for a single credential and cranked out that.  This was consolidated into a single use case of ‘what our PII is worth to the criminals’ or ‘here is our adversary’s ROI IF they can get to our database’.  That’s personal and it’s relevant.  But then they took it a step further and found relevant examples in industry that could be applied to their own organization for an average cost of incident response, paying for identify theft monitoring following  a breach for each record in their PII data set, etc.  They then coined this as ‘what a breach would cost us’.  Then they looked at growth in their security defense posture to proactively harden against the likelihood and severity of that attack.  When you stack up the incentives of the bad guys, the outrageous costs of an incident for your organization, compared to that of some reasonable controls the picture becomes more clear to every stake holder in the company.

Bravo my friends, well done on a creative way to look at the total cost of ownership and ROI in your governance upwards and outwards.  Maybe this will help you as you evangelize similar strategies in your organization?