Wednesday, September 3, 2008

Costs of Security

There is an interesting post over at Schneier on Security about calculations for security expenditures. He points out problems with both Return on Investment (ROI) and Annualized Loss Expectancy (ALE) methods of calculating the worth of a security investment. In applying either of these methods to counter-terrorism expenditures there are too many unknowns and too many assumptions to allow for consistent evaluations.


This is one of the reasons that security implementation has been uneven across the chemical sector. Most chemical facilities are run as for-profit enterprises. For these facilities every dollar spent on security is a cost that is essentially non-recoverable. Granted those expenditures may help the facility to avoid future costs associated with a successful terrorist attack, but there is not a good way to figure out what those avoided costs would be.


Calculating the Justifiable Costs


There are a wide variety of ways that a facility could go about calculating the costs they would avoid by paying for security today. All of them would be based on guesses about:


  • The likelihood of an attack,
  • How well the security measure would prevent that attack, and
  • How much a successful attack would cost.

If you thought that the likelihood of a terrorist attack was extremely low, the amount of money you could justify spending to prevent that attack would be very low. If you thought the cost of a successful attack would be relatively low, that would also lower the amount you could justify spending on security. If you thought that there would be little change in the probability of a successful attack resulting from using a particular security device or program, the cost of that security would be hard to justify. In other words, the amount you can justify spending on security is dependant on the assumptions that you make.


This is one of the reasons for the wide disparity in the levels of security applied at chemical facilities across the country. It isn’t that most of these facilities don’t care about security. Each facility management team has made their own assumptions and used those assumptions to determine what they can afford to spend on security. If their assumptions were changed, the amount they could afford to spend would also change.


The Need for Government Guidance


This is one of the reasons that government regulations like CFATS are needed. CFATS helps to insure that high-risk chemical facilities take a similar perspective when looking at the risk that they face. It establishes an independent measurement of the risk. It also provides an outside review of security measures. That ensures that similar standards would be used to assess the adequacy of those security measures.


In the end this ensures that two competing facilities using the same chemicals will be paying similar costs for security. It will help prevent one from gaining a competitive advantage by cutting the money spent on security.

No comments:

/* Use this with templates/template-twocol.html */