A Robust Process Model for Calculating Security ROI

Updated on 01/08/2004

Contact Info

Project Type

Project Title

A Robust Process Model for Calculating Security ROI.


As the corporate business environment has moved from a discrete localized structure to a dynamic structure dominated by electronic exchange of information, chaos theory has played an increasingly important role in the subset world of information security. Unfortunately, organizations have failed to fully justify their security expenditures and have instituted security infrastructures which ironically often increase their level of vulnerability. Based on the hypothesis that security is in essence a Quality issue, this paper describes a process for porting chaos into formality, and achieving financial benefit on the security frontier through building quality systems. By providing a mathematical model spun off of the Taguchi Method, we produce numbers with statistical validity which are derived from four steps: building anti-requirements from requirements, anti-requirement risk analysis, utilization of the proposed Robust Design Method, and finally, cost-benefit analysis. By using anti-requirements to represent threats and then mapping them to assets, we are able to produce a model which either justifies security expenditure or deems the investment unworthy as a result of negative return on investment.

Current Status

The project has currently been a working research project since the summer of 2003. In depth background research and survey was done and was subsequently concluded and results presented a the CTI Research Symposium in the fall of 2003. The Robust Process model developed and decided upon to be used is a spin off of a method known as the Taguchi Method which has for over half a century been used as a tool in the engineering field to do two things. First, it is a methodology intended to encourage engineers to build quality into the systems they design, from the intial design steps rather than as an afterthough. The idea is to not simply adjust system parameters so that specifications are met, but to design these factors in such a way that specifications are met, thereby making the system robust in any environment it may operate in. Second, the method attempts to provide statistically justified numbers on loss due to quality, or the lack thereof. The asserts that loss is inevitable in an engineered system, and thus the goal is to reduce loss as significantly as possible. Currently, with data collected from several governmental agency surveys regarding computer crime, and safeguard efficacy, these numbers are being run through the process model in an attempt to acheive ROI numbers that are valid within an acceptable confidence interval. Code has been developed to automate complex calculations and Excel is being used to collect the data in a understandable manner.

Plan and Target Dates