Fri Apr 8 06:47:17 PDT 2016

Risk Management: Costs: How is security budgeted?


Option 1: Take a minimum-cost legal compliance approach.
Option 2: Take a comprehensive risk management approach.
Option 3: Decide to emphasize security as a key enterprise priority.
Option 4: Don't budget in advance for information protection, spend on a reactive basis when needs occur.


Take a minimum-cost legal compliance approach.

This is a common plan. It involves doing only what is legally mandated and asking legal counsel how to minimally comply. Generally, this amounts to doing very little in advance of incidents, and having little budget and expertise in house in the computer security arena. This in turn leads to protection that tends to be ineffective. The budgeted costs might be in the range from 1% to 5% of total IT budget for this case. For every $500 computer, only $5 or so per year would be spent on administration and security, not enough to even afford antivirus software on most PCs. Information technology has to be a pretty low priority for this to be the case, and of course incidents like a computer virus infestation will end up costing a lot more than they would if they were properly guarded against.

Take a comprehensive risk management approach.

In this approach, management balances spending with risks so as to optimize business performance. A systematic approach to risk management means understanding consequences, threats, and vulnerabilities as appropriate, and making decisions to avoid, transfer, reduce, or accept risks based on the business sensibility of the available options. Over time and experience, this leads to optimization of spending and utility. We advise this approach for any business with annual IT budgets in excess of $100,000. For smaller businesses, the cost of the risk management process itself starts to become so expensive that it dominates security costs. To put this in perspective, a business with this budget probably doesn't have even one full time person working in systems and network administration and likely has less than 20 total computer users. For companies that have used risk management effectively, systems administration and security costs tend to range from 5% to 20% of annual budget, depending on the specifics of the situation.

Decide to emphasize security as a key enterprise priority.

This approach tends to arise from one of two scenarios. One scenario is that a company sells security to others or is run by a security fanatic. In this case, the presence of more and better security is a matter of pride and proof that security can work. But even these companies must eventually make sensible decisions or go out of business. The other scenario is that a company is hit again and again or so hard that it starts to lose the faith of the market. In an effort to regain this faith, such a company might go to extremes in trying to achieve security, even at the expense of a great deal of inefficiency. In both cases this is an issue of reputation and brand, and not a technical or analytical decision.

Don't budget in advance for information protection, spend on a reactive basis when needs occur.

This ultimately means that no actions are taken in advance for security. This means that regulatory violations are likely, company computers will be used to attack others, financial records and payables and receivables will be alterable, and so forth. Except in the smallest of businesses, this is certain to lead to big trouble. Computer viruses and worms will run rampant, company computers will be exploited by attackers against others, and credit card data and customer lists will be taken. Civil or criminal liability may also result from this approach.

Typically, systems and network administration and security costs should be on the order of 5-20% of the annual IT budget. It is hard to differentiate systems and network administration budget from security budget because it is usually the systems administrators who do the security implementation, and it is hard to differentiate the time spent on properly administering systems and networks from the time spent in securing them and responding to attacks. In the day-to-day activities of a good systems and network administrator, approximately half of their effort is security oriented, but it is common for days on end to be spent in reacting to an incident or implementing a new technical change, and these times are rarely accounted for properly.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved