The Alinean ROI Report

March 2004

Alinean and IDC present their exclusive ROI selling solutions to empower IT vendors to accelerate sales cycles, lessen discounting and gain competitive advantage.

San Jose, CA
Mar 31, 2004
San Jose, CA, United States

Boston, MA
Apr 07, 2004
Boston, MA, United States

IN THIS ISSUE:

FEATURE STORY:
Is There A Business Case for Security?�

The ROI for Anti-Spam Initiatives�

Quote of the Month

�As security has now started showing some signs of maturation, we are seeing a gradual growth in understanding that technology risk needs to be managed in parallel with IT, rather than within IT. But it is difficult to find an executive other than the CIO who is willing to take over an area like information security before it fully matures. Of course, even many CIOs are still resistant.�

� Mark Bouchard, a senior program director for Meta Group


	About Alinean Today�s rapidly changing economic climate supports the renewed need for information technology cost-justification. Alinean aligns IT spending and business performance through research methodologies and customized software tools, which measure and quantify the value of technology investments. For more information on Alinean and its tools for both vendors, consultants and CIOs, call 407.382.0005 or visit www.alinean.com.

Is There A Business Case for Security?

Security spending is one of the top five IT priorities for 2004, with spending expected to increase 15 - 20 percent this year. But even with companies devoting a larger portion of the IT budget to security initiatives, security officers are still demanding more money to stave off increasing risks.

Scare tactics around the intangible fear, uncertainty and doubt (FUD) of security risks used to be enough to attract the necessary funding. But now, even as security spending shifts from discretionary to necessary, executives are having a hard time prioritizing between security projects and competing business programs. With more than 80 percent of all companies reporting security breaches in 2003, and most breaches having at least a modest business impact, security proposals must mature so they can be fairly assessed against other priorities.

So is there a business case for security investments? Yes and no.

The risks of security issues can be quantified, as can the cost to mitigate the issue. The cost and risk mitigation benefits can then be compared to calculate key financial metrics such as payback and ROI.

However, unlike other business cases, the risk mitigation is a �soft� benefit, in that there is likely a benefit, but it is unclear whether the predicted savings will be realized in the corporate bottom-line. The �risk of a security issue,� for example, is uncertain by definition, so it may mean that if the proposed security solution is not purchased:

a) The risk of a security breach is not realized and the predicted breach never occurs,

b) The security risk occurs but the scope and damage are less than predicted.

This issue of soft vs. hard benefits does not invalidate the security business case, but it does make it unique. While almost all business cases include both hard and soft benefits, most of the important benefits with security business cases are soft.

The first step in developing a business case for security solutions is to start with the potential benefits of the proposed solution, which can be grouped into four major categories:

� Reducing Security TCO � New security solutions can lower costs for hardware, software, maintenance and support, labor and services expenses. This benefit should not drive the decision, as the main goal is to reduce risks, but many security business cases can pay for themselves in fewer than 12 months based on these hard savings, particularly in the areas of security policy and patch management.

� Reducing Respond and Resolve Costs � Every time a breach occurs, the IT department resolves the issue, repairs damage, and often conducts forensics to prevent the threat from re-emerging. New security investments can mitigate the probability of a breach, and if a breach does occur, reduce the effort needed to respond, and shorten post mortem forensics.

� Reducing Business Impact � Most breaches cause business damage in the form of productivity losses, as employees and customers struggle with infected machines and related downtime. Although this soft benefit is harder to estimate, the business impact is the largest cost when a serious breach occurs. New security investments reduce the probability that a security breach will occur, and limit the potential scope and duration of the issue.

� Reducing Collateral Damage � Softer still and even harder to estimate is a security breach�s collateral damage, including litigation fees, fines for information disclosure and harm to the company�s overall image and brand. Security solutions can minimize the risk and scope of the breach and therefore lessen the risk of collateral damage.

Types of Risks

Alinean has grouped the types of risks an organization faces, and what the security investment will help mitigate into six major categories, identifying the following average risks and impacts:

Typical Threats	Avg. Risk of Breaches per Year (per 1,000 users)	Avg. IT Staff Hours per Breach (Respond, Resolve and Forensics)	Avg. Business and Collateral Damage per Breach
Virus / Worms / Trojans	2	4 hours per infected asset	$24,000
Denial of Service	2 serious incidents	32 hours per system	$122,000
Data Destruction / Damage	1	120 hours	$350,000
Physical Theft Disclosure	1 in 4 former employees leaves with assets	2 hours	$5,000
Information Theft and Disclosure	1	180 hours	$250,000
Policy Violation	30	2 hours	$20,000
Errant User Behavior	15	2 hours	$20,000

History repeats itself, so using the company�s own security breach experiences adds credibility to the accuracy of the risk assessment. Keeping a log of breaches and their costs, and including these in the business case, bolsters the typical impact of security investments. Using this personal experience can help adjust the probability risk for your own company.

To calculate the probability of the risk:

Predicted number of breaches per year = personal probability of security breach occurring * estimated number of incidents / 1000 users * number of users

To assess the potential damage, it�s good to understand which assets need to be protected. The averages included in the table above may wildly overestimate � or worse � underestimate the potential business risk, because the asset value under breach may be less or more critical to your business than the average company. It�s important to match each risk and scope against your own business assets � such as key company databases, Web sites, portals, systems and facilities � in order to assess the potential extent of the damage.

Bottom-Line

1) As security spending increases, a business case is essential for proposed security investments to get their fair share of the budget.

2) The business case for security is �softer� than most, but still valid.

3) Use a risk-based approach to the business case, estimating the potential risk to the company with regards to respond and resolve costs, business impact and collateral damage.

Like all business-related IT expenditures, security investments require metrics-based justification in the boardroom. While FUD warnings lost their value long ago, sophisticated business cases are not yet universal. For security managers to justify desired spending, however, hard and soft security costs need to be quantified.

The ROI for Anti-Spam Initiatives

Nearly 36 percent of all e-mail messages received today are spam, according to a recent study by NetIQ of 750 small and large organizations worldwide. That�s a six-fold increase over the past three years. The issue has reached such epidemic proportions that if its growth goes unabated, it can potentially ruin the utility and business value of e-mail.

As the spam count mounts, the cost of managing the overflow rises, now estimated at $285 per employee, per year in lost productivity and incremental IT costs. As a result, the business case for anti-spam tools continues to increase: The typical organization obtains a payback on anti-spam solutions in six months or less, and an ROI of well over 300 percent.

In companies of every size, users complain about the overflow of e-mail in their inboxes each morning, how long it takes to weed through it all, and increasingly, how embarrassing the e-mails can be to the user and the company. The impact of spam is most heavily felt in three areas of the business:

1.      Lost Productivity � Spam has the greatest impact on employees; more than 80 percent of the cost related to lost productivity is managing and deleting unwanted e-mails. Studies show that the average user receives more than 25 spam e-mails each day, and even though these e-mails take about five seconds to recognize and resolve, small productivity hits of two minutes per employee, per day over the course of a year add up, quickly.

The costs multiply for remote users and for employees who access e-mail via voice-mail or wireless devices. The impact of spam results in an average 0.4 percent productivity loss per employee, per year. For a typical 1,000-user organization, that means more than $250,000 in lost productivity yearly.

2.      IT Costs � For IT, the costs are both technical and human. Spam consumes an estimated 11 percent of total Internet bandwidth costs and almost 500 GB of storage each year. In addition, it generates more than five help desk support calls per day for every 100 users, and requires additional administrative staff to help manage and address the inquiries.

For a typical 1,000-user organization, incremental IT costs are almost 20 percent of the total cost of spam, resulting in additional costs of approximately $38,000 yearly.

3.      Legal and Security Risks � E-mails laced with sexual content, discriminatory humor, viruses, worms and Trojans are becoming more common, and companies need to take proactive measures to filter such messages, or they risk facing costly consequences. If a legal issue arises, the fact that IT did not act to reduce these e-mails may jeopardize IT managers� positions. The potential legal and security risks are difficult to quantify, but if even one of these risks is realized, the cost to the organization can easily outweigh the more tangible IT and lost productivity costs.

No silver bullet will resolve this problem immediately, but in the near term, these techniques will help mitigate spam�s impact:

�        Educate users. How users behave influences how much spam they attract. One very effective preventative tool is to educate users not to visit or register on questionable Web sites, and not to respond to spam e-mails. Also, organizations should avoid publishing e-mail addresses on public Web sites, since spam programs scrape these sites for new targets.

�        Implement text analysis. Administrators can configure anti-spam solutions to recognize words used by spammers and prevent these from being routed to users� inboxes.

�        Execute header analysis. E-mail headers often contain clues that the message is spam. Headers can be analyzed to block spam messages.

�        Establish blacklists for e-mail hosts, domains and users. Blocking messages from known spam hosts, domains and users can help significantly cut down on unwanted e-mails.

�        Invest in anti-spoofing. Preventing spam e-mails from looking like legitimate correspondence will help users differentiate the good from the bad, so they�re not fooled into responding and attracting even more spam.

Here�s a look at potential savings anti-spam solutions can deliver for a typical 1,000-user organization, assuming that 40 percent of the most troublesome spam can be eliminated, and only considering tangible benefits:

	Current Costs	Potential Savings	Potential Annual Savings
Lost Productivity	$200,000	40%	$ 80,000
IT Costs	$ 38,000	70%	$ 26,600

Spam senders are as savvy as virus writers in out-foxing protection strategies and filters; they�re changing text, altering headers, and changing e-mail hosts and domains to stay one step ahead of blocking technology. This cat-and-mouse chase means that the anti-spam solution providers are constantly enhancing their solutions, as well.

Eliminating 80 to 90 percent of spam is an admirable target. One of the biggest challenges, of course, is to ensure that valid communications are not blocked. Today, most anti-spam solutions capture about 40 percent of unwanted emails. Newer tools promise to hit the 90 percent mark, with less than 1 percent �false positives� (important e-mail messages unintentionally blocked.)

The ROI for anti-spam initiatives is already significant, and will continue to increase as solutions become even more advanced.

Did You Know?

Spam accounted for 60 percent of e-mails sent in January 2004. Spam volume has consistently risen two percentage points every month for the past three, and at this rate, spam could potentially rise to nearly 80 percent of e-mail by the end of the year.

Source: Brightmail