RE: Value of IDS, ROI

• Previous message: Bartosz Krajnik: "Re: Snort & email"
• Maybe in reply to: Jason Patel: "Value of IDS, ROI"
• Next in thread: THolman_at_toplayer.com: "RE: Value of IDS, ROI"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 11 May 2005 08:27:08 -0000
To: focus-ids@securityfocus.com

Hi all,

I'm terribly sorry for this type of quoting, but It's the only way I can manage from my pocketpc.
For first I think that ROI is a wrong economic indicator to manage and maybe justify your budgeting operations or investments in IT Security.

When using approaches based on economic indicator we must use the appropriate ones.
ROI, for me, is too simple and discrediting for analyzing an IDS/IPS based investments.

The reason is quite simple; I know that this is a techical list and not an economic one, but I'll try to explain as simple as I can.

The ROI doesn't analyze two important things when calculating this kind of investment:

1) price of the invested money
2) THE RISK OF THE INVESTMENT.

Furthermore we must understand that IDS/IPS rarely are used to "CREATE BUSINESS" in a company non-it but profit-oriented, they're usually made for countermeasure and/or forensic analisys.

So another IMPORTANT point of view consist in discriminating TWO kind of companies:

1) which use IDS/IPS for CREATING MONEY; such as security consultants or IT Security based enterprises
2) which user IDS/IPS as an "addendum" to the company' IT Services making them "better"

Another important concept is that IDS, is a "semi-intangible object".
Is easier for us to calculate the ROI for a Server or for a Switch, they are "physical", so, for example, I introduce the "New-Server" in my scenario and the better velocity may be the real-reason that justify my investment.
It's difficult to say the same thing for an IDS/IPS. For these we usually listen an investment reason such as "if we don't use and IDS/IPS our network in danger"
So from here, only a good risk analisys can justify the investment, not the IDS Product.

So the only theory applicable, as soon as I know, for this king of investment is the "VALUE ADDED THEORY".
In an accounting analytics manners we maybe use the "payback period" as the only arithmetical indicator.

The economic indicators that better explain the ROSI (Return on Security Investment) are the financial ones, not the arithmetical ones.

So, for first, in the "VALUE ADDED THEORY" we can begin to "think" using these indicator:

+ discounted cash flow analysis (DFC)
+ net present value (NPV)

Net Present Value best tie the investment decision to the company objectives, for IT-Secyurity enterprises.
NPV furthermore, is able to compare different investments of the same kind.

So, on the same way we can discuss the BEST ECONOMIC INDICATOR for these kinds of investments the EVA [TM Stern Stewart & Co].
EVA is a Performance indicator, It explains the effectiveness of the invested money or the "super-yeld" procuced using the risk capital.
Applying it to an entire company or a single Organization/production Unit, is simple to understood how and when an investment add or destroy value.

EVA = NOPAT œ Capital charge

NOPAT = net operating profit after taxes

These is my 5 Cent, please don't blame me for this brain storming, any opinions will be appreciated, don't esitate to contact me in private way :-)

Best Regard

Lombardo Federico, IT Security
Grandi Stazioni S.p.A.
Italy

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: Bartosz Krajnik: "Re: Snort & email"
• Maybe in reply to: Jason Patel: "Value of IDS, ROI"
• Next in thread: THolman_at_toplayer.com: "RE: Value of IDS, ROI"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Is IDS/IPS worthless? ... IMHO IDS and IPS are not dead, quite the reverse, but in order to make them ... useful they require a degree of continued investment and support. ... is a case for network defense not requiring IDS/IPS to protect their network ... may lull the staff into a false sense of security. ... (Focus-IDS) RE: Is IDS/IPS worthless? ... Anyone that thinks IDS/IPS systems are a waste is a waste! ... had the chance attend the SANS institute IDS tract, ... operations and security is a critical component of IT. ... Astaro Security Linux -- firewall with Spam/Virus Protection ... (Focus-IDS) Is IDS/IPS worthless? ... implementation of an IDS/IPS achieve?" ... I responded that an IDS gives ... So this speaker then challenged me to come up with verifiable metrics. ... operations and security is a critical component of IT. ... (Focus-IDS) RE: Is IDS/IPS worthless? ... But forget there is something as not losing $, due to intrusions. ... Not to mention the image loss due to lack of security. ... IMHO IDS/IPS is far from dead. ... I responded that an IDS gives insight to what is ... (Focus-IDS) For Discussion: ...aldn ... Digital Rights Management and Enterprise Security. ... authentication and digital identity management using a portable device; ... the eSafe line of integrated content security solutions that protects PCs ... related private investment funds managed by Tamir Fishman Ventures ... (misc.invest.stocks)