Value creation and Return On Security Investments (ROSI)
This paper investigates if IT security is as a part of value creation. The first part of the commentary focuses on the current theoretical conditions for IT security as a part of value creation. Different Return On Security Investment (ROSI) models are studied to investigate if they can calculate value creation with regard either to efficiency or to effectiveness. The second part of the paper investigates empirical evidence of a ROSI or any indication of a shareholder value perspective on IT security in three large, listed companies from different business segments. What they have in common is their first priority: value creation. The commentary begins by describing the “Productivity Paradox”. It is followed by the most well-known ROSI models. Then, it explains the models applicability in value creation. Next, the three companies in the study are investigated. In the following section conclusions are drawn. Finally, the results of the research are discussed.
KeywordsCash Flow Intrusion Detection System Free Cash Flow Listed Company Security Investment
- 1.T. Copeland, T. Koller, and J. Murrin, Valuation, Measuring and Managing the value of companies, second edition, McKinsey & Company, Inc. (John Wiley & Sons, Inc, 1995).Google Scholar
- 2.J. McTaggart, P. Kontes, M. Mankins, in: Shareholder Value, I. Cornelius and M. Davies (FT Financial Publishing, Pearson Professional Limited, London, 1997), p. 223.Google Scholar
- 3.C. Alberts and A. Dorofee, Managing Information Security Risks, The OCTAVE Approach, Carnegie Mellon Software Engineering Institute, USA (Addison Wesley, 2003).Google Scholar
- 4.A. Granova and J.H.P. Eloff, Who Carries The Risk? Proceedings of the 4TH Annual International Information Security South Africa conference, July 2004, (ISBN 1-86854-522-9).Google Scholar
- 6.J.H.P. Eloff, Tactical level — an overview of the latest trends in risk analysis, certification, best practices and international standards, Information Security Architectures Workshop, Fribourg, Switzerland, February 2002.Google Scholar
- 7.P.A. David, The Dynamo and the Computer: An Historical Perspective on the Modern Productivity Paradox, (American Economic Review, 1990).Google Scholar
- 8.T. Falk and N-G. Olve, IT som strategisk resurs (Liber-Hermods, 1996).Google Scholar
- 9.K.J. Soo Hoo, How Much Is Enough? A Risk Management Approach to Computer Security, Ph.D. Thesis, University of Stanford, 2000.Google Scholar
- 10.H. Wei, D. Frinke, O. Carter, and C. Ritter Wei, Cost-Benefit Analysis for Network Intrusion Detection, Centre for Secure and Dependable Software, University of Idaho, Proceedings of the 28th Annual Computer Security Conference October, 2001.Google Scholar
- 11.K.J. Soo Hoo, A.W. Sudbury, A.R. Jaquith, Tangible ROI through Secure Software Engineering (Secure Business Quarterly, 4th Quarter 2001).Google Scholar
- 12.The CERTR Coordination Center (April 30, 2003); http://www.cert.org.
- 13.S.D. Moitra and S.L. Konda, A Simulation Model for Managing Survivability of Networked Information Systems, Technical Report CMU/SEI-2000-TR-020, Carnegie Mellon Software Engineering Institute, 2000.Google Scholar
- 14.D.W. Straub and R.J. Welke, Coping With Systems Risk: Security Planning Models for Management Decision Making (MIS Quarterly, December 1998).Google Scholar
- 15.J. Sherwood, A. Clark, A, and D. Lynas., Enterprise Security Architecture: a business driven approach (CMP Books, USA, 2005).Google Scholar
- 17.I. O. Angell, Computer security in these uncertain times: the need for a new approach, Proceedings of the Tent World Conference on Computer Security, Audit and Control, COMPSEC, London, UK, 1993, pp. 382–388.Google Scholar
- 18.Eleventh Annual CSI/FBI Computer Crime and Security Survey, Computer Security Institute, 2006; http://www.gocsi.com.