Berry says an ROI analysis can illuminate the following ideas for managers:

»Because the value of security-related IT is commonly captured in cost avoidance, accurate forecasts on the probability of a threat can help the organization prioritize security technology investment.

»Any rigorous financial modelling should expose the hidden costs lurking under the price tag for the security technology investment including the cost impact of various types of organizational or process change introduced into the organization by virtue of the investment. Exposing hidden costs is critical when the investment offers no direct economic benefit because the cost side of the ledger has a bigger influence on the ROI.

»People, process, and organizational change introduced by security technology can have multiple impacts on the organization; economic analysis heightens an awareness of these impacts before the investment is made.

»Managers get so caught up in forestalling real security threats to their information and it infrastructures that project risks can easily be overlooked. An ROI analysis reminds managers in organizations where project management skills are limited that security technology implementation faces the same project risks as any other IT project.

»Perhaps most importantly, economic analysis provokes a larger discussion and review of the organization's entire security strategy.

"On a very practical level the analysis asks the organization: 'Are we equipped to use the security related technology optimally?' In other words: 'Are we going to use all of the functionality to the best of our ability and are the people that are going to use this technology equipped take full advantage of the functionality of the software?'" Berry writes.

Take the example of Fraud Detection Software (FDS), used to help organizations discover potentially suspicious activity from online visitors and forestall an actual security breach. FDS helps an organization pre-empt the real damage wrought by phishing, hacking, or other security breaches by proactively flagging suspicious Web site activity that is an early indicator of these disastrous outcomes; and automates the investigative process of actually mining this data for this suspicious activity.

Historically, organizations that had bothered to monitor Web server logs in search of potentially compromising behaviour from outsiders relied upon painstaking and time-consuming line-by-line file reviews from technical staff, Berry notes. Under these circumstances would an ROI analysis help any organization contemplating investment in this FDS technology?

Perhaps not, especially if the organization was experiencing the very kind of information security breach this technology is supposed to help it avoid, Berry says.

"The company might find itself in the throes of paranoia and panic. Economic value analysis, meant to illuminate how value is expected to be achieved for the money invested and the foundation of a decision to implement a particular technology, is an extraneous data set to the beleaguered manager perceiving an immediate need for a technological solution to a damaging security breach. If any laws were broken as a result of the attack that would subject the organization to fines only heightens the urgency to dispense with value analysis on the way to procurement. Besides, some of the benefits from FDS are very difficult to quantify.

"However, even if the organization under these circumstances does see an ROI analysis as a distraction, the questions such an analysis asks of managers who take security management seriously are still quite relevant. The exercise has value as it provokes the kinds of questions that focus attention on how the investment fits in with the current and future security strategy. Is the strategy improved? Must it change in some way to accommodate the new security technology?"

Often, the very act of asking such questions can be highly illuminating.