Skip to main content


It has occurred to me that you could develop an interesting incentive program for an information security team, assuming that you believe a couple of data points (or can come up with your own) and your primary concern is a data breach. In my opinion, security people are all too often incented only to maintain security - not to optimize the investment in security. Interests need to be aligned.

First, assume that you believe, as discussed in Gordon & Loeb's book Managing Cybersecurity Resources: A Cost-Benefit Analysis and discussed here that an organization should spend no more than 37% of their expected loss on information security. Second, assume that you agree with the Ponemon Institute on the cost of business data breaches: $182 per record. Then, as I have pointed out, you have enough info to figure out what your info sec budget should be, or at least it's cap.

So, let's set up a very simplistic model:

  • The bonus pool is funded by the difference between the actual security budget and the $67.34 per record cap. If this cap doesn't work for you, then you can do more research or negotiate a cap.
  • Since you want the investments in security to assure security over time, you pool and smooth the payouts. So the company might "pre-fund" the pool with the current combined team bonus amount. Each quarter (for example) the budget difference is added to the pool.
  • Come bonus time, you take a rolling average of the pool and pay it out to the team. Smoothing the payout keeps the focus on the long run and creates a strong retention plan.
  • The team manager can distribute the pool based on the existing bonus system or develop a balanced-scorecard approach.
  • Here's the kicker: If there is a breach, the costs come out of the bonus pool first. This would be a bummer, but it would also give you first hand data for budgeting ;).
So, here are my questions: would such a system align the information security team's objectives with the enterprises? I think so. I know that they are often mis-aligned today. We have pitched the info-sec teams of large corporations that would save over $500,000 in token costs alone by switching to WiKID, but the security personnel were not interested - they faced no upside for saving money, only risk in making the switch.

Would it be easily game-able? It seems to me, only in the initial determination of the caps. You should also subtract a charge for the assets deployed. So you would have to figure out what assets are in fact security assets and not network assets. You could also put the network team in the mix and have a penalty for downtime too.

So there it is, just a simple, starting point proposal. Comments welcome!


Current rating: 1

Recent Posts







RSS / Atom