Talk may be cheap, but the infosec price tag is not. It shouldn't come as a surprise that the infamous TCO (total cost of ownership) and ROI (return on investment) justifications have descended upon the unsuspecting troopers in the infosec trenches. Apparently, it's time for us security geeks to learn some new tricks.

Like many people active in the security community, I spend a good portion of my spare time frequenting a select group of public mailing lists. One of my longtime favorites is the SecurityFocus IDS list, primarily because my intrusion-detection coverage for Network Computing has left me with an unquenchable thirst for knowledge and because of the high caliber of contributing list members. Amid all the normal mailing-list noise is some truly insightful dialogue. For example, shortly after a debate on NIDS (network-based intrusion-detection system) testing erupted, a completely nontechnical question burst into our inboxes: What's the ROI on an IDS solution? You expect to hear about packet normalization and application evasion techniques on an IDS list, but ROI discussions? Certainly not.

The thread brought about interesting comments, good pointers to articles and a few proposed formulas for calculating potential ROI values for an IDS deployment.

One proposal suggested calculating the annualized loss expectancy (ALE) using asset values, the percentage of loss expected per incident, and the total number of estimated incidents. By determining the ALE, you could compare it to the costs of maintaining the IDS solution (essentially, IDS' TCO), which could then be used to calculate the technology's ROI. A team from the University of Idaho submitted a paper in which it proposed factoring in annual costs from an estimated number of intrusions. (Users wishing to investigate the actual equations can read the thread.)

Obviously, people put a great deal of thought behind many of these ROI proposals, but it's difficult to "plug and chug" with these formulas because there are too many unknowns. For example, most organizations are unable to quantify -- fiscally -- their digital assets. Many organizations are unaware of how many actual security incidents they have faced, nor have they tracked how much those incidents have cost.

These first-run ROI models may leave some organizations with more questions than answers. But that's not necessarily a bad thing. Organizations must start answering some basic questions, primarily, what do I have and how much is it worth to me? Asset identification, as trite as it may sound, is still a cornerstone. By gathering answers to some of the basics, organizations can begin to understand the true security risks and, in turn, potential returns on security investments.

As security spending increases, so will the need to represent issues more traditionally. Refined ROI formulas and methodologies are sorely needed. Larger data sets are sorely needed. There's a long road ahead of us, but the closer we come to tangible numbers, the closer we come to answering the really important questions, like how does our beverage budget compare to our security budget?