In this video, Kip Boyle discusses benefit estimation methods for a successful information security program. Learn ways to estimate benefits for managing top risks.
- [Instructor] You need to now your top risks and how much it costs to reduce them to an acceptable level. But in order for your boss to have the greatest chance of funding your risk-reduction proposals, you need to be able to describe the business benefits of allocating people's valuable hours and spending the organization's hard-earned money. After all, your executives have to choose from many competing interests who are all chasing a limited number of dollars. So you need to be as influential as possible. For example, when you make your proposal, the marketing team may also propose to refresh the organization's branding.
Sales may want a new customer relationship system and Operations may want a new workforce scheduling system. You need to be able to explain your proposals in terms of the business value that funding your proposal will create. There's a four-dimension model we use that will help you. There's risk reduction, indemnity, which is protection against a financial loss, return on investment, and reliability. Each dimension contains four sub-components. Let's look at each benefit area in more detail.
First, there's risk reduction. Stronger confidentiality reduces the risk of unauthorized disclosure or regulatory action and avoids the costs of breach notification. A trustworthiness benefit strengthens confidence in the overall security of our systems or processes. Better authorization ensures organizational assets are only used for approved purposes. And business continuity increases our ability to continue critical business functions after a disaster. Now let's look at the four components of indemnity.
External compliance is when we adapt to a new statute, ruling, or regulation, that requires us to make a change in the way we do business. A due diligence benefit brings us into closer alignment with industry standards. An internal compliance benefit means we'll be in closer alignment with our own corporate information security policies. Increasing accountability improves our ability to know which named individuals performed specific actions on our systems which reduces the potential for fraud loss. Now let's explore return on investment.
First, a cost savings or a revenue gain creates measurable, hard dollar savings or increases to our top line. And productivity is an increase in efficiencies by reducing head count, improving staff utilization, or improving service. Decision enablement improves the quality of information provided to managers allowing them to make better decisions. And an economic value benefit will lower our costs per employee, per unit sold, per end user device, or per revenue dollar.
The last major benefit area is reliability. First a strategic linkage benefit keeps us on a supported version of a critical system, like enterprise resource planning or a line of business application. The architectural value benefit improves our technology scalability, performance, or disaster readiness. Maintenance value preserves our current capabilities or makes an improvement that helps us keep the lights on. And finally, an integrity benefit preserves confidence in our data by insuring accuracy or guarding against data corruption.
As you evaluate your proposal against each dimension, you will award points for each benefit that your proposal will deliver. Give 6.25 points for each benefit. Then you add up all the points and you'll get a total business value score for that proposal. This approach provides a maximum of 100 points possible. But in my experience most viable proposals will get between 50 and 80 points. Lets take a look at two examples. First, encrypting personally identifiable information in our databases.
Indemnity was the top benefit followed by risk reduction. The total score for the proposal was 65 points. The short narrative for this project is: Brings us into closer alignment with company information security policy and due diligence expectations. It also allows for certain exemptions under Washington State's breach notification law. Our second example was a project to add cyber security controls to our Systems Development Life Cycle. Return is the top benefit followed by reliability.
The total score for the proposal was 76 points. The short narrative for this proposal is: a secure Systems Development Life Cycle will reduce the long-term costs associated with software development, patching, and update management. It will also reduce the likelihood of unexpected costs associated with a data breach and allow for quicker removal of defects and vulnerabilities.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance