Communicating the Economic Value of Security Investments; Value at Security Risk

The information and data security communities and their individual practitioners have long experienced the pedagogical difficulties in communicating to management or funding bodies the importance and relevance of sufficient investments in information and data security. Inside these communities there is almost universal agreement that companies under invest in security. One reason for this pedagogical failure is that the highly specialized security domain is difficult to penetrate for the average manager with a background in business administration or economics. Consequently, the entities and metrics used by the security community to evaluate security risks and their consequences usually tell very little to people involved in security investment decisions. Historically, Return on Investment RoI has been used for this purpose. However, RoI is not an ideal entity to use, since it generates misunderstanding and misinterpretation. Companies and enterprises already have tools, methods and metrics to express risk levels and their economic consequences to support management in investment decision situations: we refer to Value-atRisk and Value-at-Risk-type metrics. This contribution transforms or transfers entities and metrics used by the information and data security communities into Value at Risk-type entities and metrics. This will allow management to understand, compare and evaluate security risks and their economic consequences with risks generated by other sources, strategies or investment decisions and give management a firmer and more rational basis for security investment decisions.