Selling Security to the CFO - Computerworld:
"Investment in information security can provide an ROI by reducing your annual loss expectancy (ALE) from a security breach. ALE is a calculation of the actual cost of a security breach multiplied by the probability that such a breach might occur in the coming year. It's much like the actuarial calculations insurance companies use to compute your premiums.
For example, let's assume you have a Web site that does $2 million of business per day. The security assessment shows the site is vulnerable to a denial-of-service attack, which would result in a three-day outage, and there's a 60% likelihood of a successful attack occurring. The ALE is $2 million per day X three days X 60% = $3.6 million.
The security improvement costs $500,000 and will reduce the likelihood to 15% and the outage to one day. The improved ALE is $2 million per day X one day X 15% = $300,000. This yields a first-year return of $3.3 million ($3.6 million minus $300,000) from a $500,000 investment.
Now you've got all the raw ingredients for a successful business case. The next step is to let your IT finance person produce your company's standard ROI financial tables and then wrap the assessment summary, the security plan with its five-year TCO, the risk/solution matrix and the ROI calculations into the standard company format. Remember, you want the business case for security to look exactly like the business case for any other company investment."
All the ROI calculations in the world will not reallocate funds from the marketing department to the IT department. What it will do is help justify needed projects. While this approach is a prudent one, the focus should be on how a comprehensive Enterprise Architecture See Adaptive can align the needs of the business with the necessary projects that need funding in IT. Security becomes a component of every project, not just one to plug a severe threat uncovered in the latest risk assessment.