Skip to main content


There is a very interesting article (and old one - sorry, I'm running behind) on CSO Online called Value Made Visible about how American Water's Bruce Larson has developed a security metric call Value Protection:

The basic Value Protection metric is a ratio that looks like this: Value Protection = Normal Operations Cost ($) – Event Impact ($) / Normal Operations Cost ($). In formula:

VP = (N – E) / N

The idea then is to have your VP as close to one as possible. I've looked at this a number of times and it just never makes sense, though I hate to knock anyone that is measuring and managing against that measurement, in particular in the vague world of information security.

An example would be that your normal operating costs are 1,000,000. If an Event Impact costs $500,000, your VP is 50%, which is really bad. Here's what I don't get: Why divide my N? Why not just say it be N/E? I guess that they are looking at different impacts between possible events, so that an annual VP would look like AVP=AN-(E1+E2+E3+En)/AN? If they are looking at individual possible events, I think a holistic approach would be better. Your SIM, for example, can protect against multiple events.

I really like the way they figure the estimate Event Impact - which seems to be very close to Average Loss Expectancy:

Event impact E is the sum of five types of costs that result from an event. Those cost types are: response costs (Rp), recovery costs (Rc), cost of penalties (Pn), costs associated with lost revenue (LR) and costs related to a damage in perception or reputation (Pc).
Larson also includes only numbers where he has hard figures. So costs to reputation are rarely included. While that may tend to reduce the costs, it increases the credibility of Larson's numbers internally.

Larson also has this bon mote:

Value Protection is Larson's attempt to overcome security's classic problem of seeming like nothing but a drain on the business. "Look, business units do one of two things: increase revenue or increase efficiency," Larson says. "We don't bring in revenue. So then you say, 'OK, then you're making the business more efficient, right?' Well, no, we don't do that either. So, if those are the two possible goals of a business unit and we don't fulfill either, then I'm confused.
I would say that business create value in three ways: increase revenues, increase efficiency and reduce risk. If mapped out the potential cash flows that include expected losses with varying levels of security, from none to uber-tight, the variance would make the rate of return very high. If you eliminate the worst case scenarios by investing in information security, the rate of return increases dramatically and that creates value.

Current rating: 1

Recent Posts







RSS / Atom