Recently i was looking talks on RSA 2012. One talk which got my attention is Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1 M. Two points i liked most are
1. The Adversary Doesn’t Care About Your ROI/ROSI.
2. Whatever security measures you put should reduced the the Adversary ROI .
Lets see the formula of adversary ROI
Adversary ROI= ((( Attack value (Value of Assets Compromised + Adversary Value of Operational Impact) - Cost of the Attack) x Probability of Success )/Cost of the Attack)-Deterrence Measures (% Chance of Getting Caught x Cost of Getting Caught)
Most important factor of this ROI is the cost of the attack if your security measures can increase the cost of attack ( which most of the measures do) it will reduce the adversary ROI by multi fold this the area where most of the security vendors focused there effort along with reducing the probability of the success. Advancement of attack tools and techniques reducing the attack cost and increasing the probability of success white hackers/Defenders caught themselves in a rat race to build the countermeasures. As best practice multilayer security (IPS/IDS/Firewall/antimalware)has to be implement to affect these vectors of adversary ROI.
Let say after applying all the measures attacker still able to penetrate your system but if you can be alarmed and act (here your various monitoring system play a great role for example File/Registry/Process Integrity monitoring system, Log Inspection system etc. ) before adversary able to steal/damage your assets this will reduce the probability of success .
What if your assets has been stolen/damaged before you able to act still there is hope in the form of your risk management policy and forensics that can help in recovery and catching your adversary. These two factor increase the chance of catching the hacker.
Now there is one factor which you cannot control directly is the impact of getting caught it’s lot depend of the government/country rules and regulation how they treat your adversary.
while you can reduce the value of assets compromised it’s not always possible and not advisable too but you cannot control the Adversary Value of Operational Impact as it’s depends on type of adversary you are dealing with.
one this should be note here factor affecting adversary ROI should be considered in totality not in isolation.
Reference.
http://365.rsaconference.com/servlet/JiveServlet/previewBody/3429-102-1-4545/GRC-202.pdf