"Attempting to quantify the economic value of security-related information technology is a lot like understanding the value of an insurance policy. Value stems less from what's delivered to the buyer and more from what costs and negative impacts the buyer avoids should a catastrophic event occur. Avoiding costs can be more powerful than saving or making money. The problem is that quantifying avoided costs is only truly possible after disaster strikes. This reality can lead to some twisted thinking: a desire to capture value from a security-related technology is like hoping that your house will burn down so you can take advantage of your homeowners' policy," he wrote.

Which begs the question: if it's "twisted thinking" to expect any monetary reward for your security efforts, why bother doing ROI calculations at all? As Berry notes, particularly where the threats seem huge (for example, phishing) and where investment helps the organization meet regulatory requirements, or where the law mandates that customer information be protected, the proposed security technology morphs from a discretionary capital outlay to a must-have capability. So why bother analyzing potential value? Why not move straight to a feature-set analysis, determine if its functionality meets the law's requirements, and cut a cheque?

How about because of the truth of the old adage that "if you can't measure it, you can't manage it", Goldberg says. Or because security is bedevilled by the fact there is so much any organization doesn't know that it doesn't know. Or because while there's rarely a direct correlation to positive bottom line impact in the ROI equation, organizations are starting to discover that the brand risk and trust risk to organizations from a security breach is far greater than was once appreciated, as can be the downstream negative revenue impacts.

"So the ROI then needs to be considered from a broader perspective," Goldberg says. "Where there are links that you can draw to your balance sheet, by all means do so that you measure that the technology investments you make are working. But then you also need the qualitative measurements that show you that the effectiveness of your technology investments and your procedural investments are actually working to meet an expected level."

Revealing Exercise

The very act of undergoing an economic value analysis can help show where the true value of the security technology rests, Berry says. It can also allow clearer thinking about the costs the technology might help avoid and the likely economic impact of current threats.

You can typically divide IT spending into an if-to-invest bucket and a when-to-invest bucket, Berry says. "If-to-invest technologies offer high risks and high rewards: large cost reductions from process efficiencies, profit impacts from revenue generation, re-engineered business models, and so on. They are also highly strategic in nature and it takes a thorough cost-benefit analysis to determine if they should go ahead.

"When-to-invest technologies - like databases, servers, networks, and HR applications - on the other hand, offer both far fewer risks and lower rewards. But since they're needed to keep the organizational 'lights on', the question around investment becomes when, not if."

Security-related technology, Berry notes, falls into both camps. On the one hand, security technology is a when-to-invest proposition, since managers perceive that the risk of doing nothing in the face of growing information-asset threats is enormous. On the other hand, security technology is also an if-to-invest proposition with the flavour of a strategic technology since the deployment of a specific kind of security technology can influence an organization's security strategy.

"So since security technology exists in a kind of value assessment purgatory, is there managerial benefit in analyzing the economic value of security technology?" Berry's paper asks. "Certainly, but not because such an exercise will help the organization decide to invest or not invest - we have already conceded that most organizations will invest in security technologies regardless of what the ROI or net present value (NPV) figure is."

Instead, he says companies should analyze the economic value of security technology as if it were the most complex, risky, and strategic product around because of what the effort will reveal to them.