Light Dark
October 5, 2017 By Rick M Robinson 2 min read
Risk Management

When things go wrong with computer systems and networks, whether due to ordinary mishaps or malicious actors, the organizations that rely on those systems and networks are put at risk. They may suffer direct financial losses, reputational damage or both, with effects ranging from inconvenience to total loss and liquidation of the enterprise.

Understanding these hazards and their consequences is what risk analysis is all about. It may seem obvious, but too many organizations — and even security professionals — have lost sight of the importance of risk management. They are often so focused on efforts to describe security expenditures in terms of return on investment (ROI) that they fail to adequately account for risks. Security ROI computations tend to be meaningless without the proper context of a risk analysis.

The Challenges of Risk Analysis

In most cases, according to Errata Security, organizations “don’t have a sophisticated enough risk matrix in order to plug in some ROI numbers to reduce cost/risk.” Instead, the risk assessment numbers on which an ROI computation is supposedly based are often generated by outside vendors or security engineers with little basis in reality.

This challenge is particularly great because security risks are moving targets driven by malicious actors. In industries such as energy and utilities, risk analysis is relatively straightforward because the threats come almost entirely from accidental mishaps. These risks can be assessed and computed based on engineering experience.

In contrast, security risks depend on technological considerations, such as potential points of vulnerability, as well as the “whims and fads of the hacker community,” according to Errata Security. Because the technology is rapidly evolving and the ecosystem is deeply layered, risk assessment needs to consider not only vulnerabilities that exist now, but also new ones that may develop in the future.

The Architecture of Security

For these interrelated reasons, trying to encapsulate security spending needs in terms of ROI is an artificial exercise. The presentation may sound crisp and businesslike, but it is so full of hidden asterisks that it is essentially meaningless.

So what should guide security professionals and business leaders to help them determine the right level of spending on cybersecurity? Errata recommended thinking about security engineering as analogous to architecture — not computer architecture, but the concrete and steel kind. When designers plan a building, they know they will need to provide a certain number of bathrooms to accommodate the building’s users, a calculation that requires no ROI computation.

Security is not an obscure mystery. We know the basic things we need to do to protect our systems and networks against cyberthreats, and we know how to mitigate the effects of damaging attacks. We need to take action, not seek assurance from fanciful ROI computations.

Listen to the six-part podcast series: A CISO’s Guide to Obtaining Budget

 |  |  |  |  | 
Rick M Robinson

More from Risk Management
January 28, 2025

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

January 24, 2025

How cyberattacks on grocery stores could threaten food security

4 min read - Grocery store shoppers at many chains recently ran into an unwelcome surprise: empty shelves and delayed prescriptions. In early November, Ahold Delhaize USA was the victim of a cyberattack that significantly disrupted operations at more than 2,000 stores, including Hannaford, Food Lion and Stop and Shop. Specific details of the nature of the attack have not yet been publicly released.Because the attack affected many digital systems, some stores were not able to accept credit/debit cards, while others had to shut…

January 23, 2025

Taking the fight to the enemy: Cyber persistence strategy gains momentum

4 min read - The nature of cyber warfare has evolved rapidly over the last decade, forcing the world’s governments and industries to reimagine their cybersecurity strategies. While deterrence and reactive defenses once dominated the conversation, the emergence of cyber persistence — actively hunting down threats before they materialize — has become the new frontier. This shift, spearheaded by the United States and rapidly adopted by its allies, highlights the realization that defense alone is no longer enough to secure cyberspace.The momentum behind this…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature