Value creation and Return On Security Investments (ROSI)

  • Christer Magnusson
  • Josef Molvidsson
  • Sven Zetterqvist
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 232)


This paper investigates if IT security is as a part of value creation. The first part of the commentary focuses on the current theoretical conditions for IT security as a part of value creation. Different Return On Security Investment (ROSI) models are studied to investigate if they can calculate value creation with regard either to efficiency or to effectiveness. The second part of the paper investigates empirical evidence of a ROSI or any indication of a shareholder value perspective on IT security in three large, listed companies from different business segments. What they have in common is their first priority: value creation. The commentary begins by describing the “Productivity Paradox”. It is followed by the most well-known ROSI models. Then, it explains the models applicability in value creation. Next, the three companies in the study are investigated. In the following section conclusions are drawn. Finally, the results of the research are discussed.


Cash Flow Intrusion Detection System Free Cash Flow Listed Company Security Investment 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    T. Copeland, T. Koller, and J. Murrin, Valuation, Measuring and Managing the value of companies, second edition, McKinsey & Company, Inc. (John Wiley & Sons, Inc, 1995).Google Scholar
  2. 2.
    J. McTaggart, P. Kontes, M. Mankins, in: Shareholder Value, I. Cornelius and M. Davies (FT Financial Publishing, Pearson Professional Limited, London, 1997), p. 223.Google Scholar
  3. 3.
    C. Alberts and A. Dorofee, Managing Information Security Risks, The OCTAVE Approach, Carnegie Mellon Software Engineering Institute, USA (Addison Wesley, 2003).Google Scholar
  4. 4.
    A. Granova and J.H.P. Eloff, Who Carries The Risk? Proceedings of the 4TH Annual International Information Security South Africa conference, July 2004, (ISBN 1-86854-522-9).Google Scholar
  5. 5.
    B. V. Solms and R. V. Solms, The 10 deadly sins of information security management, in: Computers & Security, Vol. 23 No 5 (ISSN 0167-4048, 2004), pp. 371–376.CrossRefGoogle Scholar
  6. 6.
    J.H.P. Eloff, Tactical level — an overview of the latest trends in risk analysis, certification, best practices and international standards, Information Security Architectures Workshop, Fribourg, Switzerland, February 2002.Google Scholar
  7. 7.
    P.A. David, The Dynamo and the Computer: An Historical Perspective on the Modern Productivity Paradox, (American Economic Review, 1990).Google Scholar
  8. 8.
    T. Falk and N-G. Olve, IT som strategisk resurs (Liber-Hermods, 1996).Google Scholar
  9. 9.
    K.J. Soo Hoo, How Much Is Enough? A Risk Management Approach to Computer Security, Ph.D. Thesis, University of Stanford, 2000.Google Scholar
  10. 10.
    H. Wei, D. Frinke, O. Carter, and C. Ritter Wei, Cost-Benefit Analysis for Network Intrusion Detection, Centre for Secure and Dependable Software, University of Idaho, Proceedings of the 28th Annual Computer Security Conference October, 2001.Google Scholar
  11. 11.
    K.J. Soo Hoo, A.W. Sudbury, A.R. Jaquith, Tangible ROI through Secure Software Engineering (Secure Business Quarterly, 4th Quarter 2001).Google Scholar
  12. 12.
    The CERTR Coordination Center (April 30, 2003);
  13. 13.
    S.D. Moitra and S.L. Konda, A Simulation Model for Managing Survivability of Networked Information Systems, Technical Report CMU/SEI-2000-TR-020, Carnegie Mellon Software Engineering Institute, 2000.Google Scholar
  14. 14.
    D.W. Straub and R.J. Welke, Coping With Systems Risk: Security Planning Models for Management Decision Making (MIS Quarterly, December 1998).Google Scholar
  15. 15.
    J. Sherwood, A. Clark, A, and D. Lynas., Enterprise Security Architecture: a business driven approach (CMP Books, USA, 2005).Google Scholar
  16. 16.
    M. K. Nalla, K. Christian, M. Morash, and P. Schram, Practitioners’ perceptions of graduate curriculum in security education (Security Journal, 6, 1995), pp. 93–99.CrossRefGoogle Scholar
  17. 17.
    I. O. Angell, Computer security in these uncertain times: the need for a new approach, Proceedings of the Tent World Conference on Computer Security, Audit and Control, COMPSEC, London, UK, 1993, pp. 382–388.Google Scholar
  18. 18.
    Eleventh Annual CSI/FBI Computer Crime and Security Survey, Computer Security Institute, 2006;

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Christer Magnusson
    • 1
  • Josef Molvidsson
    • 1
  • Sven Zetterqvist
    • 1
  1. 1.Department of Computer and System SciencesStockholm University/Royal Institute of TechnologyKistaSweden

Personalised recommendations