ITWALES.COM - The business case for security penetration testing

Posted: Wed, May 7, 2008

The business case for security penetration testing

by Richard Hollis

image of padlock Let's start with a simple example. Penetration testing is similar to a health physical. You may not know if anything is wrong until you go to the doctor's office and have him examine you. You hope the doctor doesn't find anything wrong, but that's why you go and get a check-up. If there is something wrong with you and you need extensive tests or procedures done, you will have just realised the ROI on your health insurance. If you get a clean bill of health you may wonder why you carry health insurance, but peace of mind outweighs your concerns about money. Carrying health insurance is an easy cost to justify. Security spending in the form of a penetration test is a little more difficult to justify, but it can be done.

In a tight spending market, CIOs are only going to spend money on something that can demonstrate a return on investment, which includes demonstrating the tangibles in the form of a Payback Period (breakeven point), Net Present Value (NPV), and the Internal Rate of Return (IRR). The intangibles, such as the loss of reputation from a well-publicised security breach, can be difficult to calculate. The intangibles are just as critical as the tangibles; however a balance of hard numbers and soft numbers needs to be achieved in order to demonstrate a comprehensive ROI.

Demonstrating Return on Investment (ROI) is critical to the success of selling a security product or service, and that includes selling the need for a penetration test. Security professionals and security departments within larger organisations are realising that demonstrating ROI on security is sometimes a complicated and confusing process. You can't go to the decision makers and say, "We need to spend x number of dollars on penetration testing or someone is going to hack us". You need to demonstrate a business case justification for the expenditure, and that expenditure needs to contribute to the bottom line: profitability. Companies should not spend money without proof of benefit. That benefit needs to be in the form of increased revenue, greater cost savings or significant productivity gains. Executive management will expect you to quantify and qualify the "what and why" for penetration testing and any other security related initiative.

Ounce of prevention

Generally speaking, security measures have been viewed as a necessary evil to prevent unknown disastrous events from occurring. As organisations become more educated and aware of their responsibilities in securing the environment, due to legislation or well publicised events, they are also becoming savvier in their decision making processes. As organisations begin to get serious about security and start actually budgeting for IT security products and services they are demanding tried and true methods for evaluating and justifying the expenditure.

Internal security management and staff are struggling with the same issues that external security vendors are struggling with. How do you demonstrate security ROI? It matters not whether you are attempting to justify expenditure for an upgraded firewall solution, IDS (Intrusion Detection System), additional staff, consulting services, or a penetration test. The issue is the same.

image of padlock Historically, IT has been and still is considered a cost centre, not a profit centre. That is why the ROI calculation tends to be difficult: if you look only at the costs, there is no revenue attached to the IT side of the organisation. Most of us are familiar with the acronym TCO (Total Cost of Ownership). Companies have been focused on lowering TCO in regards to infrastructure initiatives. While cost control is important, understanding business value is far more important. The business value of IT initiatives are beginning to be understood in terms of user productivity, revenue per employee, business cost reduction, cycle time improvements and risk reduction.

Security is viewed similarly to IT and is associated with risk management. Risk management is a process whose goal is to provide the best possible protection for information systems and the storage, processing and transmission of information assets at the lowest possible cost consistent with the value of the asset. How can a process such as risk management provide a return on investment? Risk management can be associated with business value. If the value of the information asset is high, risk management needs are high. If the value of the information asset is low, risk management needs are low. The security professional needs to understand information asset valuation methods.

The problem is not just simply a matter of coming up with formulas, methods, and models. The problem is that until you can directly correlate the security product or service (e.g. penetration testing) with business value, you cannot demonstrate a return on the investment. CIOs want to see hard numbers. In these hard times, the FUD factor (fear, uncertainty, and doubt) is no longer a good enough excuse for implementing security measures. The new attitude is "Show me the money".

What is ROI?

Return on Investment (ROI) over-simplified means that if you spend $100K on something, you want to know that in a certain period of time the money you spent is going to return something to you. You want to know how long that is going to take and what the percentage of return is. There are financial terms that need to be understood in order to perform an ROI calculation.

Return on Investment (ROI) is the ratio of the net gain from a proposed project, divided by its total costs.
Payback Period is the time frame it takes for the project to yield a positive cumulative cash flow
Net Present Value (NPV) is a measure of the net benefit of a project, in todays dollar terms
Internal Rate of Return (IRR) is the discount rate necessary to drive the NPV to zero; the value another investment would need to generate in order to be equivalent to the cash flows of the investment being considered

The usual ROI calculations are not readily applied to security initiatives, such as penetration test. Technically speaking, there is no return on investment for a preventative method other than to claim that "an ounce of prevention is worth a pound of cure." However, if you align the penetration test with a compliance programme or revenue-generating project that requires it, the test can be seen as a necessary step in order to meet the goals of the wider project.

What's the purpose of a penetration test?

The purpose of a conducting a security penetration test is to discover and expose vulnerabilities in an organisation's security systems. In calculating the ROI, you have to compare the security investment to the potential damage prevented. You will need to have a good understanding of the company's information assets and how those assets relate to business value. You must be prepared to spend time understanding the business side of the organisation and walk executives through the valuation of information assets as they relate to business value. You must further be prepared to compare the cost of the loss of that asset with the cost of preventing the loss.

image of padlock The results of a penetration test is the knowledge of potential risk, vulnerabilities or threats to Information Assets (IA) and the information needed to mitigate those risks. For organisations who have already been through the process of valuing their IA, it is a much simpler matter to point to a particular asset (such as a customer database), discuss in financial terms what that asset is worth, and then help management think about the impact of the loss of that database.

Consequently, it is extremely beneficial to discuss with the decision makers in financial terms (ROI, Payback/Breakeven, NPV, and IRR) what the business value of the database is. For instance, if your organisation has made a large investment in converting a legacy mainframe system to an ERP system (e.g. SAP, Oracle, Peoplesoft), they have already done the ROI calculations, estimated the Payback period, and hopefully understand the Net Present Value/Internal Rate of Return for that implementation. If the database is compromised and goes offline, what happens to the payback period?

Specialist 'cyberliability' insurance is beginning to emerge in some countries. In order to qualify for the insurance, an organisation has to comply with particular security processes and have certain safeguards in place. At some point it is expected that this type of insurance will become more mainstream. In the meantime, it is important for security professionals to understand how Business views and justifies expenditure. It is just as important for the security professional to teach business to think in terms of information asset valuation and correlate that to the financial risk to the company.

Example Business Benefits

Provides both general and specific information about risks and controls
Assists in creating a strong security culture
Improves the effectiveness and consistency of existing controls
Can stimulate the adoption of additional cost-effective controls
Helps reduce the number and extent of information security breaches

Overall cost of a company's worst incident in the last year

Direct Costs of a security incident	Overall	Large Businesses (10,000+ employees)
Loss of assets, regulatory fines etc.	e.g. DPA Ł5k max fine for a conviction in the Magistrates Court and unlimited fines for convictions in the Crown Court	e.g. DPA Ł5k max fine for a conviction in the Magistrates Court and unlimited fines for convictions in the Crown Court

Indirect Costs of a security incident	Overall	Large Businesses
Business Disruption	Ł6,000 - Ł12,000 over 1- 2 days	Ł50,000 - Ł150,000 over 1- 2 days
Time spent responding to incident	Ł600 - Ł1,200 2- 4 man- days	Ł1,750 - Ł3,500 5 - 10 man- days
Direct cash spent responding to incident	Ł1,000 - Ł2,000	Ł3,500 - Ł5,000
Direct financial loss (e.g. loss of assets, fines etc.)	Ł500 - Ł1,000	Ł3,500 - Ł5,000
Damage to Reputation	Ł100 - Ł400	Ł5,000 - Ł10,000
Total cost of worst incident	Ł8,000 - Ł17,000	Ł65,000 - Ł130,000

From DTI & PwC Information Security Breaches Survey 2006

Example Technical Benefits

Features	Benefits
Perimeter security management	Enables access control of local networks
Network intrusion prevention	Removal of attack opportunities
Limits access to servers	Promotes business resilience
Decreases downtime resulting from attacks	Reduces maintenance and network operation costs

For more information on calculating the business benefits associated with conducting a security penetration test for your organisation, visit www.orthus.com.

About the author:
Richard Hollis is founder and CEO of European information security consulting firm Orthus. A seasoned security professional with over 20 years industry management experience, Richard has extensive hands on experience in designing comprehensive IT security, business continuity and disaster recovery programmes for more than one hundred blue chip high tech companies throughout Europe. His career has included time spent as Director of Security for Philips Communications, Deputy Project Security Director to the US Embassy Moscow Reconstruction Project and numerous sensitive security positions within the US Government. His expertise has been shared via numerous articles and white papers, and in appearances on BBC, Channel 4 and CNN, as well as appearing in print in Time, SC, InfoSec, Computing and Computer Weekly. Find out more about Orthus at www.orthus.com

Send a comment about this article to editor@itwales.com.

Subscribe to
ITWales Updates
Click Here!