Statistical ROI Model
Lockstep was commissioned in 2004 by the New South Wales Government to research and develop a novel statistical model for estimating security ROI, and to thereby update the government’s ROI guide for managers.
Using Monte Carlo techniques, the Lockstep developed model predicts the likely spread in the costs of security breaches both with and without security mitigations, given the inherent variability in (a) likelihood of incidents, and (b) impact of incidents. The model allows practitioners to inject variations in the underlying statistics of breaches, and to set parameters relating to cost and frequency of different grades of incident.
The Guidelines are attached below.
Lockstep’s ROI model cited by US DOD
Our innovative work on statistical modeling of security ROI (see below) has been cited and further developed by US Department of Defence researchers. See “A Model to Quantify the Return On Investment of Information Assurance (ROIA)” by Dr Charley Tichenor, Journal of the Defense Institute of Security Assistance Management (DISAM) volume 29, number 3.
An abridgement of Dr. Charley Tichenor’s paper appeared in the US Department of Defense software journal “CrossTalk”.
Dr. Tichenor said of our work:
“Lockstep Group’s insight into this ROI problem was outstanding, and saved a ton of work time trying to develop something comparable from scratch”.
PKI Return On Investment
OASIS (the Organisation for the Advancement of Structured Information Standards) commissioned Lockstep to write a new white paper on ROI for PKI. The research included developing a new “supply chain” model for the delivery of digital certificates.
See http://www.oasis-pki.org/whitepaper/roi.pdf.
Lockstep ROSI Guideline SGW (2 2)