X
Tech

ROI figures are meaningless: Bruce Schneier

Return on investment figures, which are commonly used by vendors to justify the value of their products, are meaningless -- especially when it comes to security, claims Bruce Schneier.
Written by Munir Kotadia, Contributor and  Chris Duckett, Contributor

Return on investment figures, which are commonly used by vendors to justify the value of their products, are meaningless -- especially when it comes to security, claims Bruce Schneier.

In his opening keynote at linux.conf.au last month, the security guru called ROI figures "complete bullshit". In a video interview, Schneier explained to ZDNet.com.au why these cost justifications make no sense.

"If you ever see one of those ROI models, what they do is measure the cost of an attack and then multiply by the probability of an attack to give you how much money you should spend.

"This fails when you have very, very rare and very, very expensive events because you are effectively multiplying zero by infinity. If you have taken any infinity theory, which I don't recommend, multiplying zero by infinity gives you every number," said Schneier.

He explained that the amount spent on a product can change significantly by simply playing with the equation.

"If the chance of you being attacked is one in a million and I change it to one in two million ... I have halved the amount of money you should spend.

"Maybe your reputation is worth [US]$20 million, or maybe it is only worth [US]$10 million, or maybe it is worth [US]$40 million. Suddenly I can completely perturb your budget -- because the numbers are so big and so small that minor changes ... make huge changes to the product.

"I can make an ROI model say whatever I want. I could justify or not justify anything based on these very, very rare and very, very damaging events," he said.

Schneier also explained why many "bad" security products outsell "good" security products.

"We are in a market where the average consumer -- even a savvy IT consumer -- can't tell the difference between a good product and a bad product.

"It is easy for functional requirements -- if you want to know if your word processor does italics, you just check if it does italics. Functional requirements are easy to test. It is the non-functional requirements that all end in a 'y' -- security, reliability, useability.

"So most people, companies, organisations, can't tell the difference between a good product and a bad product and they are forced to rely on the seller. In those markets -- they're called Lemon's markets -- bad products drive out good products because bad products are cheaper," he added.

Editorial standards