Justifying Information Security Investments
Accurate information about risks leads to better decision-making: The more accurate the risk information, the better the decision, especially when it comes to IT security.
The insurance industry, for example, uses historical data on adverse events to price premiums according to a number of variables; teenagers are more likely to get car accidents than adults and hence face higher premiums, accidents involving luxury cars are more expensive to fix than ones with compact cars, a young healthy woman is less likely to die than a smoker 30 years her elder plus she has lower rates. In each of these cases, premiums are lower because the risk of the negative event is less likely, something we all know and understand.
How does this apply to information security?
We commonly lack good information in information security decision-making -- especially about penalties when evaluating risks. When an executive asks an information security person: What happens if we don’t comply? It’s difficult to provide the actual financial impact with a hard number. Not enough data commonly exists to provide any verifiable estimate.
However, with enforcement of laws and open data transparency within the Federal Government
, this task of determining financial impact is becoming easier. Within the Healthcare industry, HIPAA violations and fines are public. They are tracked, recorded and published on the Office of Civil Rights (OCR) website. Armed with the number of healthcare organizations, the number of organizations investigated and fine amounts, we walk down the road less traveled in calculating the financial risk for non-compliance, with a specific dollar amount.
Risk Management 101 (Round 1)
Risk = (probability of an event) x (impact of the event)
Risk for Health care organizations (those using protected health information)
~730K Covered Entities in US (HIPAA)
~17K Corrective Actions (OCR), successful investigations over the past 10 years
Image Source: Office of Civil Rights
17K/730K = 2.3% Chance of being caught and penalized
2.3% x $1 million fine (*conservative est.)
*Some organizations have been fined more than 1 million also, some also significantly less; the average fine amount is not easily obtainable, so we take a conservative estimate of $1 million given recent penalties published. Also, there are many other costs (non-direct), such as legal costs, and 3rd party compliance, which we include in this figure.
What does $23K mean given the variables above? All things being equal, if a technology solution is under $23K and will solve a compliance problem, it is best to implement. If greater than that amount, it might not be financially prudent (however, the organization would still be non-compliant).
If cost of security solution
<= 23K then IMPLEMENT!
>= 23K then PAY the FINE
Is this reasonable? Many security solutions cost over half a million dollars; if that were really case many vendors would go out of business. Let’s take a deeper look into some calculations, assumptions and variables.
Mikhael Felker is an IT pro who has worked in Defense, Healthcare, High-Tech and Non-Profits. He teaches, writes, and speaks at numerous Southern California venues about technology.
See here to check out all his Tom's IT Pro articles.