Budgeting for Information Security and ROI Approach

摘要

Information security expenditure involves heavy investment in people, processes and tools. Information system security projects cover a number of non-quantifiable factors not amenable to simplistic cost benefit or ROI analysis. Associated cost/benefits are contingent upon uncertain factors, including level, type, nature and extent of security. Moreover security projects have to comply and deal with statutory issues and differ from case to case. For such projects, the expected productive life, the training period, the periodicity and quantum of benefits/inflows and the expected future outflows required for maintenance, have to be estimated, making quantification complex. The proposed method uses the concept of Total Cost of Ownership, consisting of Direct and Indirect Costs of deploying and maintaining the system for base level security. Option price based ROI method is used to create the second metric for additional level of advanced security. We use the metrics to estimate the net pay offs of the different choices under different probable conditions. The result is a decision matrix to assist stakeholders in decision-making.