Quantifying value for security programs is difficult at best. Intel successfully developed and employed a method to measure the value of security programs across our worldwide factories. Although not the silver bullet to measure all security programs, it does show in some circumstances, value can be quantified to the level needed to make sound business decisions.
This is one of many different methods which Intel leverages to determine value of security programs. The difference is being able to tie in hard numbers for prevented losses and the ability to predict future impacts with reasonable accuracy. Other available methods rely on more qualitative descriptions of value and lack a dollar and sense measure. Although no single methodology fits all situations, Intel has found a niche for this insightful metric which is an empowering view of security value.
The full whitepaper
Monroerl
Invite as author
ROI? Why?
I know of several companies that have no reason to have any sort of security. When I was a child, I didn't need data security either, so there was no need to spend a dime to protect my data. When using terminology like "ROI" or "breakeven points", you are confusing budgeting resources with investing resourcses. The simple way to look at security is to ask which data is important and which data is not for your company. Only your stakeholders will know what the company data is worth. Your clients will certainly know what their data is worth when they prepare to sue your company for fraud or breach of contract when their data is leaked out all over the Internet with your company name on it.
Ask your cyber insurance folks, or your Risk Managemnet people. What is your data worth? How long can your company operate without it's data? How much are your intangible assets worth and which portions of your assets can you afford to lose? We need to compare apples to apples, get the metrics right and measure from there.
Thank you