Expected benefits of information security investments

Ideally, decisions concerning investments of scarce resources in new or additional procedures and technologies that are expected to enhance information security will be informed by quantitative analyses. But security is notoriously hard to quantify, since absence of activity challenges us to establish whether lack of successful attacks is the result of good security or merely due to good luck. However, viewing security as the inverse of risk enables us to use computations of expected loss to develop a quantitative approach to measuring gains in security by measuring decreases in risk. In using such an approach, making decisions concerning investments in information security requires calculation of net benefits expected to result from the investment. Unfortunately, little data are available upon which to base an estimate of the probabilities required for developing the expected losses. This paper develops a mathematical approach to risk management based on Kaplan–Meier and Nelson–Aalen non-parametric estimators of the probability distributions needed for using the resulting quantitative risk management tools. Differences between the integrals of these estimators evaluated for enhanced and control groups of systems in an information infrastructure provide a metric for measuring increased security. When combined with an appropriate value function, the expected losses can be calculated and investments evaluated quantitatively in terms of actual enhancements to security.