Does MS2 calculate a Return of Investment (ROI) for the security gaps identified during the risk and gap assessment?

Like any other profession, there are a range of theories and methodologies incorporated into the work of IT security professionals. Calculating an ROI for security gaps provides one such an example. The NIST SP 800-30 and other standards do not require ROI calculations to determine which security safeguard to implement or to prioritize which controls to implement first, although some security professionals consider such estimates useful.

MS2 calculates risk based upon a baseline set of information processing threats and the resulting likelihood and impact of these vulnerabilities. The results are factored by existing and planned security safeguards within an organization. Milliman chose not to include the value of the assets as the major determining factor or driver in deciding which security control to implement. The reasons for this include:

• Assigning a monetary value to an information or computer asset such as a server or data can be very subjective.
• Quantifying ROI or using asset valuation as a basis for the prioritization of control recommendations can lead to skewed and potentially undesirable results.  For example, there may be some generally accepted security controls that show a relatively low ROI for a specific organization.
• Calculating ROI can be complex and resource-intensive relative to the impact that it can have on determining to implement a specific control. For example, the long-term public relations consequences of an identity theft breech or compliance violation may outweigh any short-term and measurable monetary loss.
• Finally, many debate whether security controls result in any ROI. Security control implementation is fundamentally a risk-based decision, driven by an organization's desire to minimize a financial, operational, or regulatory exposure to a peculiar threat and vulnerability.