Has your network ever suffered intrusion or misuse? If not, you're among the fortunate few. If so, the cause might have been a virus, worm, or Trojan horse; a workstation, server, or router breach; or an employee misusing company services and bandwidth. In any case, have you ever calculated the cost to clean up such messes and return everything to its prior state? Although you might find calculating such losses tedious, you can find ways to reach a fairly accurate figure.
Dave Dittrich's online FAQ "Estimating the cost of damages due to a security incident" can help you think of the factors to consider and the costs to associate with each factor in the clean-up process. Dittrich notes that proposed Senate Bill S.2448, "The Internet Integrity and Critical Infrastructure Protection Act of 2000" introduced in the 106th Congress), defines how organizations can calculate loss. According to Senate Bill S.2448, "The term 'loss' means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service."
According to Dittrich's interpretation of the bill's definition, tallied costs should include all staff time spent cleaning up damage; lost productivity time, including that of users (who lacked working systems) and business partners (who were denied service during this period); lost time in terms of e-commerce revenue; and the price of replacing hardware, software, and other damaged or stolen property. The loss calculation shouldn't include precautionary measures put in place to prevent similar attacks in the future. You should consider such measures part of ordinary systems administration.
Dittrich also cites the Incident Cost Analysis & Modeling Project (ICAMP) that the Committee on Institutional Cooperation (CIC) and the University of Chicago conducted. ICAMP figures the basic monetary loss relative to affected users by calculating an hourly wage (dividing an annual salary by 52 weeks, then by 40 hours) and multiplying that wage by hours of work lost. As you'll see, the ICAMP materials calculate additional costs as well.
Dittrich's FAQ is short, to the point, and a good place to start to learn how to calculate security-related losses. The FAQ includes a sample Microsoft's Excel spreadsheet that you can use as a model to help build a loss-calculation tool for your enterprise.
For more information, read CIO Magazine's February 15, 2002, article "Finally, A Real Return on Security Spending", which discusses an approach to calculating Return on Investment (ROI) for Intrusion Detection Systems (IDSs). The February 15 article references another article's sidebar, "Calculating Return on Security Investment". The sidebar presents a relatively simple formula for the ROI calculation: (R - E) + T = ALE, in which R is the cost per year to recover from intrusions, E is the dollar savings gained by preventing intrusions, and T is the cost of an intrusion-detection tool. The result is your Annual Loss Expectancy (ALE). To calculate Return on Security Investment (ROSI), subtract your ALE from the annual cost of intrusion.
Many of you have trouble getting your managers to approve budgets for security-related tools. You need clear ways to demonstrate the value of security-related measures and tools. You'll find calculating actual losses from intrusion or misuse a great way to justify a more adequate security budget, especially for preventive measures.
