Return on investment figures, which are commonly used by vendors to justify the value of their products, are meaningless -- especially when it comes to security, claims Bruce Schneier.
In order to watch video content you need to enable javascript and install Flash player version 8 or above.
In his opening keynote at linux.conf.au last month, the security guru called ROI figures "complete bullshit". In a video interview, Schneier explained to ZDNet.com.au why these cost justifications make no sense.
"If you ever see one of those ROI models, what they do is measure the cost of an attack and then multiply by the probability of an attack to give you how much money you should spend.
"This fails when you have very, very rare and very, very expensive events because you are effectively multiplying zero by infinity. If you have taken any infinity theory, which I don’t recommend, multiplying zero by infinity gives you every number," said Schneier.
He explained that the amount spent on a product can change significantly by simply playing with the equation.
"If the chance of you being attacked is one in a million and I change it to one in two million … I have halved the amount of money you should spend.
"Maybe your reputation is worth [US]$20 million, or maybe it is only worth [US]$10 million, or maybe it is worth [US]$40 million. Suddenly I can completely perturb your budget -- because the numbers are so big and so small that minor changes … make huge changes to the product.
"I can make an ROI model say whatever I want. I could justify or not justify anything based on these very, very rare and very, very damaging events," he said.
Schneier also explained why many "bad" security products outsell "good" security products.
"We are in a market where the average consumer -- even a savvy IT consumer -- can’t tell the difference between a good product and a bad product.
"It is easy for functional requirements -- if you want to know if your word processor does italics, you just check if it does italics. Functional requirements are easy to test. It is the non-functional requirements that all end in a 'y' -- security, reliability, useability.
"So most people, companies, organisations, can’t tell the difference between a good product and a bad product and they are forced to rely on the seller. In those markets -- they're called Lemon's markets -- bad products drive out good products because bad products are cheaper," he added.
SCHNEIER is full of garbage - again.
There are many organisations that accurately and regularly understand the risk profile needed to make an ROI argument robust - they deal in risk as part of their business - some of them are called Insurance Companies.
having worked for one in the IT space - I was always thankful for the input of the risk team into my business cases - and guess what - when the benefits capture process went through it's cycle and the figures came out every 3 months after the project was completed, the figures matched the ROI calcs we came up with.
Organisations without experienced and competent risk managers should look at engaging them.