Return on security investment (ROSI) - A practical quantitative model

Journal of Research and Practice in Information Technology

Volumn 38, Issue 1, 2006, Pages 45-56

  Sonnenreich, Wes ^a   Albanese, Jason ^a   Stout, Bruce ^a,b  

^a SageSecure   (United States)

^b Rainmakers' Forum ^*

Author keywords

Algorithms; Benchmarking; Economics; Management; Measurement; Return on Security Investment; Security metrics; Security strategy; Standardization

Indexed keywords

RETURN ON SECURITY INVESTMENT; SECURITY METRICS; SECURITY STRATEGY; TECHNOLOGY IMPLEMENTERS;

ALGORITHMS; BENCHMARKING; DECISION MAKING; ECONOMICS; MANAGEMENT SCIENCE; MEASUREMENTS; STANDARDIZATION; STRATEGIC PLANNING; TECHNOLOGY TRANSFER;

SECURITY SYSTEMS;

EID: 33644693734     PISSN: 1443458X     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Conference Paper

References (18)

1. A GUIDE TO SECURITY RISK MANAGEMENT FOR INFORMATION TECHNOLOGY SYSTEMS PUBLISHED BY THE GOVERNMENT OF CANADA COMMUNICATIONS SECURITY ESTABLISHMENT (1996): See: www.cse.dnd.ca/en/documents/knowledge_centre/publications/manuals/mg2e.pdf
2. BERINATO, S. (2002): Calculated Risk, CSO Magazine, December. See: www.csoonline.com/read/120902/calculate.html
3. BRAITHWAITE, T. (2001): Executives need to know: The arguments to include in a benefits justification for increased cyber security spending. In Information Systems Security, Auerbach Publications, September/October.
4. BUTLER, S.A. (2002): Security attribute evaluation method: A Cost-benefit approach, Computer Science Department, Carnegie Mellon University. See: www2.cs.cmu.edu/~Compose/ftp/SAEM-(Butler)-ICSE_2002.pdf
5. COMPUTER WORLD ROI KNOWLEDGE CENTRE: See: www.computerworld.com/managementtopics/roi
6. FINALLY, A REAL RETURN ON SECURITY SPENDING (2002): CIO Magazine, February; See: www.cio.com/archive/021502/security.html.
7. FOSTER, S. and PACL, R.: Analysis of return on investment for information security: Getronics.
8. INFORMATION SECURITY FORUM: Standard of good practice, See: http://www.isfsecuritystandard.com/index_ns.htm
9. INTERNATIONAL SECURITY STANDARD, ISO 17799: See: http://www.iso17799software.com/
10. KING, C. (2001): Seeking security scorecards, Meta Group (File: 9377), December.
11. NSW GOVERNMENT OFFICE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY (2003): Information security guideline, June. See: http://www.oict.nsw.gov.au/
12. PRIMER ON COST-EFFECTIVENESS ANALYSIS (2000): Published by the American College of Physicians' Effective Clinical Practice, September/October. See: www.acponline.org/journals/ecp/sepoct00/primer.htm
13. SECURE BUSINESS QUARTERLY (2001): Special issue on return on security investment, Quarter 4, See: www.sbq.com/sbq/rosi/index.html
14. SECURITY METRICS GUIDE FOR INFORMATION TECHNOLOGY SYSTEMS SPECIAL (2002): Publication 800-55 US National Institute of Standards and Technology Computer Security Research Centre. See: csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf.
15. THE RETURN ON INVESTMENT FOR INFORMATION SECURITY (2003): See: http://www.oit.nsw.gov.au/content/7.1.15.ROSI.asp
16. THE RETURN ON INVESTMENT FOR INFORMATION SECURITY (2001): See: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ networking_solutions_audience_business_benefit09186a008010e490.html
17. VPN SECURITY AND RETURN ON INVESTMENT: RSA SOLUTION WHITE PAPER (2004). See: http://whitepapers.zdnet.co.uk/0,39025945,60138100p-39000459q,00.htm
18. WEI, H., FRINKE, D., et al (2001): Cost-benefit analysis for network intrusion detection systems. Centre for Secure and Dependable Software, University of Idaho. In Proceedings of the 28th Annual Computer Security Conference October. See: wwwcsif.cs.ucdavis.edu/~balepin/new_pubs/costbenefit.pdf