Measuring Financial Benefits of IT Security Systems

Measuring Financial Benefits of IT Security Systems

In June of 2015, reported that several banks in the UAE suffered from DDoS attacks linked to the cyber group Anonymous. This happened a couple of months after Kaspersky Lab launched Kaspersky Total Security amidst the worsening cybercrime issues affecting the Middle East. In the said conference, UAE was cited as the second most frequently attacked in the region and the 15th in the world. Immediately after the June 2015 attacks, governments in the region did what they could to improve their cyber security systems. However, the private sector remained unsafe from the hackers.

Private organizations in the GCC member countries should have already learned from their counterparts in Europe, Asia, and most especially the US where a bank was hacked despite having a $250 million-per-year cyber defense system. The reluctance of these organizations to increase the security system of their IT infrastructures could be blamed on the absence of the right methodology that will accurately measure the return on investment of cyber security systems.

In order to measure the benefits of a cybersecurity system these three factors should be determined:

  • Cost to fix – How much would it cost to repair the damage brought by a successful cyber attack? According to IBM, in a healthcare organization the average cost of data breach could amount to $363 dollars while in an educational institution it could cost as high as $300.
  • Opportunity cost – How much would the attack cost in terms of lost business? This includes lost revenue, customer turnover and damage to reputation among other things. According to Ponemon Institute’s study on last year’s Global Cost of Data Breach. Cyber attack notifications remain low costs brought by lost business steadily increased.
  • Equity loss – How much capital damages would a successful cyber attack cause? When sensitive information – such as patents and trade secrets – is lost, lawsuits, leadership turnover, and dispute with investors are highly likely.

The goal of having a sound IT security system is to defend the business organization’s sensitive data, software applications, networks, and hardware from catastrophic attacks. The organization’s Chief Information Security Officer should educate the board of directors of its benefits in order to acquire the right budget for an IT security system. A well-performed value chain analysis involving cost to fix, opportunity cost, and equity loss is a good way to start with.