Producing a cost-benefit analyses of security solutions has always been hard, because the benefits are difficult to assess and often only a part of the overall cost is clear. Despite this, today the provision of economic evaluations of security technology investments is a requirement that more and more customers ask vendors to satisfy. In this paper, we consider the typical calculation of a ReturnOn-Investment (ROI) index based on the evaluation of the Annual Loss Expectancy (ALE), as the one provided usually by vendors of IT security. Our motivating assumption is that such classical index, the ROI, provides a partial characterization of investments in information security technology, because it lacks to explicitly consider attackers’ behavior. We suggest that to better evaluate security technology investments, the ROI index should be coupled with a corresponding index aimed at measuring the convenience of attacks, the Return-On-Attack (ROA) expecially in situation where different technologies are combined or where the possible degradation of a security solution’s efficiency over time must be taken into account.
[1]
Ross J. Anderson.
Why information security is hard - an economic perspective
,
2001,
Seventeenth Annual Computer Security Applications Conference.
[2]
Lawrence A. Gordon,et al.
The economics of information security investment
,
2002,
TSEC.
[3]
Lawrence A. Gordon,et al.
Information Security Expenditures and Real Options: A Wait-and-See Approach
,
2003
.
[4]
Huseyin Cavusoglu,et al.
Model for Evaluating
,
2022
.
[5]
Avishai Wool,et al.
A quantitative study of firewall configuration errors
,
2004,
Computer.