This principle seems obvious, right? Even if you are not a business in the traditional sense (e.g. a non-profit, government entity, et al.), you still have financial responsibilities.

This principle applies to information security in two ways:

  • Protecting information must be cost-effective.
  • Information security should enable business, not disable it.

Protecting information must be cost-effective.

In other words, the cost of protecting information must never exceed the cost of doing nothing. Good information security professionals are passionate about protecting information; sometimes too passionate. We see a risk, and we want to fix (remediate) it, but should we? Not always.

Not all risks require remediation; in fact, some risks should not be remediated. Before we remediate, we need to determine if remediation is cost-effective. For this, we can use some simple math. The equations are:

SLE * ARO = ALE

SLE is “single loss expectancy”, the potential cost (in dollars) to the organization if a bad thing happened. ARO is “annualized rate of occurrence”, how many times we expect the bad thing to happen every year. ALE is “annualized loss expectancy”, this is the amount of money we can expect to lose if we do nothing to remediate the risk.

If ACO < ALE, then you have a ROSI

ACO is “annual cost of ownership” for the remediation (maybe hardware costs, software costs, support costs, et al.). If the annual cost of ownership for the control is less than the annualized loss expectancy, you have a ROSI (return on security investment)! If the annual cost of ownership is more than the annualized loss expectancy, you might want to explore other options.

Other options for dealing with risks might be:

  • Risk acceptance
  • Risk avoidance
  • Risk transfer
  • The wrong option is to ignore risk. This could get you in trouble!

Information security should enable business, not disable it.

In general, do you think information security enables business or gets in the way of doing business? Information security is not supposed to get in the way. Unfortunately, we often find poorly designed and/or implemented controls that inhibit business’ ability to make money.

General rules for enabling business:

  • Information security objectives must be aligned with business objectives.
  • Information security controls should be as transparent as possible.
  • Information security should be used to increase efficiency, not to increase complexity.
  • Information security should be leveraged as a market differentiator.

The best information security control is a culture that sees value in information security.

“A Business is in Business to Make Money” is a core principle at FRSecure. Our clients benefit from sound information security solutions that are cost-effective and enable business.


Evan Francen on LinkedinEvan Francen on Twitter
Evan Francen
CEO at FRSecure
Nickname: "The Truth"

I am a 25+ year information security veteran, and I tell it like I see it. I’m not known for being politically correct, and this sometimes gets me into trouble. More often than not; however, clients and colleagues come to appreciate the candor and common sense approach. If you look at security (the right way), you’ll find that it’s just not as complicated as people make it. I hope you enjoy my writings on security and other miscellaneous things. I really have a strong and deep passion for helping people and making the world a better place.

Check out my new book UNSECURITY

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *