A Robust Process Model for Calculating Security ROI
Updated on 01/08/2004
Contact Info
- Ghazy Mahjub
- gmahjub@hotmail.com
- www.students.depaul.edu/~gmahjub
- DePaul University
Project Type
- SE MS Thesis (SE690 & SE698), supervised by Dr. Jane Huang
Project Title
A Robust Process Model for Calculating Security ROI.
Abstract
As the corporate business environment has moved from a discrete localized structure to a dynamic structure
dominated by electronic exchange of information, chaos theory has played an increasingly important role in the subset world
of information security. Unfortunately, organizations have failed to fully justify their security expenditures and have
instituted security infrastructures which ironically often increase their level of vulnerability. Based on the hypothesis
that security is in essence a Quality issue, this paper describes a process for porting chaos into formality, and achieving
financial benefit on the security frontier through building quality systems. By providing a mathematical model spun off
of the Taguchi Method, we produce numbers with statistical validity which are derived from four steps: building anti-requirements
from requirements, anti-requirement risk analysis, utilization of the proposed Robust Design Method, and finally,
cost-benefit analysis. By using anti-requirements to represent threats and then mapping them to assets, we are able to
produce a model which either justifies security expenditure or deems the investment unworthy as a result of negative
return on investment.
Current Status
The project has currently been a working research project since the summer of 2003.
In depth background research and survey was done and was subsequently concluded and results presented a the
CTI Research Symposium in the fall of 2003. The Robust Process model developed and decided upon to be used
is a spin off of a method known as the Taguchi Method which has for over half a century been used as a tool
in the engineering field to do two things. First, it is a methodology intended to encourage engineers to build
quality into the systems they design, from the intial design steps rather than as an afterthough. The idea is to
not simply adjust system parameters so that specifications are met, but to design these factors in such a way that
specifications are met, thereby making the system robust in any environment it may operate in. Second, the method
attempts to provide statistically justified numbers on loss due to quality, or the lack thereof. The asserts that
loss is inevitable in an engineered system, and thus the goal is to reduce loss as significantly as possible. Currently,
with data collected from several governmental agency surveys regarding computer crime, and safeguard efficacy, these
numbers are being run through the process model in an attempt to acheive ROI numbers that are valid within an acceptable
confidence interval. Code has been developed to automate complex calculations and Excel is being used to collect the data
in a understandable manner.
Plan and Target Dates
- Phase 1:
- Background Survey: COMPLETE
- Defining Research Scope: COMPLETE
- Formulation of Process Model: COMPLETE
- Phase 2:
- Collection of Data: COMPLETE
- Complete Code to Automate Intermediate Calculations: January 15th
- Process Model Testing with Data: Feburary 1st
- Intermediate Presentation Deliverable: Feburary 15th
- Phase 3:
- Complete Additional Model Testing: March 15th
- Thesis Deliverable: April 1st
Project Description
The goal of this research is to attempt to attack the problem in industry of justifying
investments in software security infrastructure. The question that is posed is exactly how much money should be spent on
software security and is there a way to quantify this value that makes sense to those in management and decision making roles.
Although this problem has existed for decades and solutions have been previously posed to the question, none have tackeled the
problem with the mathematical rigor that is required in order to come up with statiscally valid numbers of return on
software security investments. The goal is to provide a process model that would allow institutions to proactively estimate
loss and required software security investment to offset loss so that such individuals have more to work with than the often
heavily biased words of security consultants who want nothing more than to load up your system with more security than may be
needed. Such a policy often leads to loss due to decreased productivity. This research places software security as an issue
of software quality, arguing that a quality system which places emphasis on quality of security rather than quantity of
security provides the best and most rewarding investment. The Robust Design Method developed in this research is a spin off of
the Taguchi Method, a method for the justification of quality engineering investments, combines statistical mathematics with
old-fashioned analytics to allow users to set up an environment where several combinations or proposed security solutions
to be tested. Using Orthogonal Arrays, exhaustive testing is not required, since the total number of combinations could
potentially exceed a million. With estimates of safeguard efficacy in hand and cost of safeguard assets and implementation, these
numbers are run through a series of calculations which eventually yield a confidence interval for the results and an actual ROI
number for each proposed solution. The Robust Design Method also allows users to account for Interaction Effects, where two or
more factors potentially interact. For example, an Intrusion Detection System and a Firewall, although could be considered
separate factors/safeguards, interact heavily in a security system to stop breach and stop potential intrusions. Therefore,
Interaction Effects must be accounted for in order to acheive an accurate ROI number for a potential security solution.
The goal is to acheive a small confidence interval, in order to acheive maximum confidence in the results. A concept which
is currently being research is integration of the Taguchi Loss Function. Such a function essentially says that there will always
be loss, no matter how perfect the system is engineered. It is a parabolic function where the maxium depth of the parabola is
the point of least deviation from a target value for a factor. How this function would apply to this research a current sticky
point which may or may not be resolved.
Documents
References
- Gamma et al, Design Patterns, Addison-Wesley, 1995.
- ...