It is common for security researchers, testers, and auditors to discuss the risks an organization could face from a particular attack, vulnerability, or breach. While it is true that these risks exist, you need to decide what the probability of your organization being victim to that particular issue is.
Weighing the probability of an attack is going to be the most accurate way you can allocate your IT Security dollars. By calculating the risk, you focus the efforts where it matters most.
Take for example the issue of replacing a firewall. If the manufacturer discontinues the support or updates for the firewall model you have, you should be able to calculate the risk of the financial impact to the company. Will me not replacing my firewall outweigh the cost of the possible downtime?
The formula for this is pretty straight forward, whether it is a firewall replacement, software upgrade, or SIEM deployment.
Here is an example of a project to replace the virus/malware inside of an organization.
Let’s say you are getting 4 ransomware infections per week ( R ). The average downtime to the user that experiences an infection is measured in hours ( T ). The cost of every hour of productivity is measured in dollars ( P ). You should be able to calculate the cost the current AV/malware solution is costing you by keeping this simple formula around.
(R x T x P) = N
Next, add the calculated cost of the risk, in this case the AV/malware (N), to the renewal rate/best decision (X). Third, subtract the cost to upgrade the AV solution (U).
(N + X) - U
The same logic can be used to determine if you should invest in any IT investment. The only difference is you need to calculate the risk. What are the odds that a particular issue will affect your organization? Find the answer and then you can use data to drive your IT investment decisions. The best way to determine your risk, is through a risk assessment.
Obviously, some things are a matter of compliance or peace of mind. Compliance can be calculated by determining what the fine or cost is for not meeting the requirement. Or perhaps you will not qualify to work with a particular organization unless you put in a piece of technology, again, this is easy to calculate.
The math should be done over a number of years. Never look at the hard costs over a one or even a three-year return. Try and look at it over a three to five-year period. This should give you a more accurate view and provide the most accurate ROI or risk assessment.