Part (a) One of the challenges with ICT security is ‘selling’ the notion of investing in ICT security. One approach is to use a traditional return on investment approach with an emphasis on information security issues. This is referred to as a Return on Security Investment (ROSI) and ROSI calculations can be presented to management to justify security investments.
The ROSI elements discussed during the semester included the following formula components: Single Loss Expectancy (SLE); Annual Rate of Occurrence (ARO); Annual Loss Expectancy (ALE) which is calculated: ALE = ARO * SLE; Modified Annual Loss Expectancy (MALE) (this is the ALE after the implementation of the proposed security controls). The ROSI takes account of the ALE, the MALE and the cost of the proposed controls.
Considering the following scenario involving the help desk staff responsible for providing support to the HRM system from question 1:
The help desk staff reset hundreds of passwords annually for various reasons. On average the help desk staff reset 10 passwords annually without properly verifying the staff member’s identity correctly and provide access to the wrong person. The damages in reputational and privacy breaches is estimated to cost $8000 per incident. By implementing a verification software package with a licence cost of $4,000 per annum, the loss expectancy would be reduced by 80%.
Calculate the ROSI for this scenario.
Given this scenario, discuss the limitations with using a ROSI calculation in this manner. You should provide 4 issues that highlight limitations with the application of a ROSI used as a primary means to justify this control