Information Technology Reference
In-Depth Information
While terms of how to express IA value will vary among organizations, arguably,
all organizations are concerned about money. And indeed even the most altruistic
of nonprofit organization needs money to provide its benefits. The point is to be
aware that IA quantification has many potential expressions. Moreover, expressing
IA value in terms that resonate with the audience provides for a better understand-
ing of IA and increases the tolerance for IA if not outright acceptance.
4.3.2
IA Quantification: Asset/Target Perspective
Assets are the targets of threats. Even if a threat has no volition (e.g., hurricane),
there are still assets that may be the target of a hurricane, albeit unwittingly. An
outline of the IAQF asset/target perspective includes:
n
n
n
−
−
−
Financial (currency measurement)
Development (quality measurement)
Operational (functional parameter measurement)
Risk management (standard risk assessment quantification)
Mission integrity boundary model
Attack modeling
4.3.2.1 Financial (Currency Measurement)
The ROI framework in chapter 12 provides a basis for financial quantification. The
ROI framework is:
n
−
−
n
−
−
Revenue
Revenue increase
Revenue sustainment
Cost
Cost reduction
Cost avoidance
For example, revenue increases in terms of customer satisfaction that translates
past performance reference for new sales, and revenue sustainment in terms of real-
izing the organizational mission and maintaining mission integrity that translates
into meeting SLAs and results in customer satisfaction and contract renewal. Cost
reduction may be in terms of reduced time spent chasing malware issues and more
time now spent on core services to customers; cost avoidance is in terms of legislative
compliance or avoidance of SLA penalties.
With the above as a guide, implementing IA may provide return on security
investment (ROSI) from the perspectives of revenue generation, revenue protec-
tion, cost reduction, and cost avoidance. For example:
