Security "good" business? Calculating ROI on security investment

In its essence, return on investment (ROI) is a simple concept: it allows a company to check whether or not investing money in a project is worthwhile. There are several financial methods to calculate ROI, but they all can be summarized into one principle, calculating the ratio between the return (benefit) we can get from the project and the project’s cost. However, discussing ROI for security investment can spur a heated debate. The costs involved in security investment are clear; it is the expected return that is not easy to define.

When security investment is concerned, the returns are usually in terms of cost saving. For example, the return from installing an anti-shoplifting security system in a retail environment is the return that comes from reduced shrinkage.

The problem is how can we accurately estimate in advance how many incidents the system will prevent? How should we factor low frequency but high impact events like a terror attack?

Since we can only predict the likelihood of a security event this makes showing ROI much more difficult.

Looking at ROI From a Business Perspective
Sean Ahrens, Security Consulting Services Practice Leader at AON Global Risk Consulting, recommends focusing on the business justification of the investment, deriving the returns from greater efficiencies the investment will bring to the organization.

“Security is not an ROI term and this is one of the challenges,” said Ahrens. “When a security director approaches a CFO and asks for US$500,000 for an investment he can’t just promise better security, he needs to show business acumen. We need to implement programs that are measurable and definable so that they can run without looking like a cost center and show the CFO that security is ‘good business’ and not just a cost,” Ahrens added.

Where to Start
Ahrens explained that the first stage is mapping out the process and then identifying the resources that can be used to calculate the costs. By using dispatch logs, incident management systems, guard logs, and other relevant resources, users can get an understanding of how many incidents happened and their relative costs.

Dr. Francesco Flammini, Senior Innovation and Security Engineer at Ansaldo STS, and co-editor of the book “Effective Surveillance for Homeland Security.” points to another important benefit of a data driven approach. “Relying on quantitative risk assessment also allows for better cost/benefit optimization. When budget is limited, a quantitative risk assessment model can suggest the optimal set of protection that minimizes the most risk within our budget constraints.”

ROI Calculation Risks
The quality and quantity of the data used for the ROI calculation is a main risk. “Even if you have a formal methodology and a verified tool to perform ROI calculations, you still need to collect reliable data (e.g., historical series) and not only base your decision on expert judgments,” mentioned Flammini. “In the end, you have all the tools you need to validate your results, but actually the garbage-in/garbage-out rule still applies whenever data collection is insufficient and/or inappropriate.” Without reliable data, the ROI calculation will also not be valid.

In that regard, the experience of security consultants becomes essential to avoid mistakes, e.g., installing smart cameras featuring video content analytics on unstable supports or pointing towards reflective surfaces. In fact, almost all sensors and detectors need to be installed in appropriate operating conditions in order to function properly. And the cost of unnecessary alarms is much more significant than one could initially think.

Future Drivers of ROI
Many security practitioners will say that ROI calculations for security are unreliable due to the unclear nature of returns. However, we can overcome this using either a data-driven approach that will help us estimate the number of incidents and their consequences or aligning the returns with the business goals of the organization, emphasizing the efficiency gain for the organization. These two ways can make ROI calculations in security more reliable and beneficial.
Share to:
Comments ( 0 )