Wednesday, May 11, 2011

NPV and ROSI, Part II: Accounting for Uncertainty in the ARO

Introduction

In a previous post, I proposed a Monte Carlo simulation model that attempts to determine the probability that a security investment will result in a positive Return on Security Investment (ROSI).  The model views security countermeasures and breaches as streams of cash flows and evaluates the Net Present Value (NPV) of each.  To account for the inherent uncertainty in predicting the timing and cost of a breach, the model accepts ranges of possible outcomes and runs repeated simulations.  By calculating the ROSI of many thousands of possible scenarios, the model allows the information security manager to estimate the likelihood that a specific countermeasure will pay for itself by mitigating the impact of a breach.  Please see the earlier post for more detail on this model.

In this follow-up to that post, I propose a slightly different approach to the problem and present a revised version of the simulation tool.  The revised version of the tool includes Annualized Rate of Occurrence (ARO) as one of the variables tested by repeated simulation.