A business case for cybersecurity spending
University of Maryland professors show how to conduct a security cost/benefit analysis.
NIST Special Publication 800-65: Integrating IT Security into the Capital Planning...
How much should the government spend on cybersecurity? Two University of Maryland professors of accounting and information assurance know how to answer that question.
In their new book, “Managing Cybersecurity Resources: A Cost-Benefit Analysis” (McGraw-Hill, 2006), Lawrence Gordon, professor of managerial accounting and information assurance at the University of Maryland’s Robert H. Smith School of Business, and Martin Loeb, professor of accounting and information assurance, describe a rigorous process that government officials can use to make a business case for cybersecurity spending. Although specialized knowledge is necessary for putting numbers into the mathematical models that Gordon and Loeb have developed, they say such expertise is not necessary for managing finite cybersecurity resources.
Some critics accuse the authors of using voodoo economics. The critics argue that managers cannot make a business case for investments in information security in the same way they might for a new building or a new product. “And my answer is that’s not true,” Gordon said. “The numbers are much more difficult to come up with, but the process is the same.”
A cost/benefit analysis based on assumptions about the future is never going to be perfect, Gordon said. Agencies must adjust their assumptions after conducting information security audits.
“You try to come up with a rational judgment about how much to spend,” he said. “But in the end, they are only quantitative numbers that are based on a lot of guesswork. Everyone in his own organization has to figure out how to adjust them.”
-- Florence Olsen