ffffffffffffffffffffffffffffffffffffffffffffffffffff

INTRODUCTION
Return on investment (ROSI) can be interpreted as: [1]
ROSI = (Mitigated Risk Cost) / Cost
Here we analyze an investment in information security, and hence we do not seek to increase in
income, but instead a mitigation of the given risk to which the business process will be exposed
[1] to and which in turn will affect the entire investment structure.
ROSI represents the investment in terms of the most appropriate Risk Level that the
organization, in this case Seagovia is ready to assume. We aim to reach to what is called an
appropriate solution because in the case of the level of information security, it is highly likely
to have a 100% solution level.

Points of Focus while Calculating ROSI
Following are the two points of focus we need to follow while determining ROSI.
What is the solution cost range that represents the options from which we can choose
our Acceptance Level?
At what point in the calculations (ROSI =0) do the solutions start being
counterproductive when costs exceed business benefits?

Our strategy of calculating the ROSI can be viewed from different angles:
Qualitative View: Based on assumptions. It is based on heightened level of subjectivity
and does not prove useful to justify investments before higher management levels.
Statistical View: This serves as a kick off for an advanced information security
development to deal with events during the determining of ROSI. This models
development takes about four-to-eight weeks. Its subjectivity depends upon the
organization, its complexity and the level of business process being taken into
consideration.
Probabilistic View: Most precise method for calculating ROSI. The model is specific.
Development of this model can take up to eight-to-twelve weeks because of its
complexity. This model allows us to analyze the financial and strategic planning
departments within the organization. Hence, the degree of accurateness is higher.


SEAGOVIA ORGANIZATIONAL INFORMATION

CATEGORY
Laptops 222
Laptops with Top Secret Information 151
Desktops 321
Servers 16
Database Server 2
Backup USB Drives 70
Number of Mobiles 400
Blackberry Mobiles 231

Employees
Number of Employees 650
Employees handling top secret information 29

Lifespan of Technology Solution
Solution Deployment 3 years
Maintenance Every month
Fatal Failure Recovery 1 Month (2 IT Labors)

Money (USD)
Annual Revenue $ 5 Million
Installation Cost Based on Specific Solution
Maintenance Cost $100/day/person (Standard) One Vender
deals with maintenance of Seagovias
Software and Hardware.



NOTE:
ANY LOSS OF INFORMATION IS DIRECTLY PROPORTIONAL TO
ANNUAL REVENUE
SECURITY TECHNOLOGIES FOR ROSI ANALYSIS
Following is the list of Technologies Next Community Consultants have formulated and
analyzed for calculating Return on Security Investment:


ANTIVIRUS SOFTWARE
INTRUSION DETECTION SYSTEM
SACL and DACL
VIRTURAL PRIVATE NETWORK
BACK-UP SOFTWARE
BIOMETRIC
SSL VPN Cryptography
SECURE EMAIL
ACTIVE DIRECTORY
SELF ENCRYPTING DRIVE
CONFIGURATION MANAGEMENT







Below we provide an estimation of the cost, return and benefits Seagovia
would have if they invest in the given technologies.

ANTIVIRUS SOFTWARE
Product Name: Norton Antivirus
Product Usage: Used for protecting Seagovia Information System from trojans, worms, virus,
malware, etc.
Product Lifespan: 1 Year (license version can be revised)

Scope of Protection

Effectiveness

Ease of Installation

Ease of Use

Features

Updates

Help & Support

Excellent
Very Good
Good
Fair
Poor










financial expenditure
INVESTMENT
Price Number Subtotal
Raw Equipment Cost $1000 5 Admins $5000
Installation (1 day) $50 5 IT Staff $250
Maintenance/month $0 $0
Upgrade $0 $0
Subtotal Investment ~ $5250
COST SAVINGS
Loss of Data 3%*$5.0*10
6
$150,000
Loss of customer prospect 2%*$5.0*10
6
$100,000
Waste of Human Labor $100 8 staff $800
Loss of Productivity 4%*$5.0*10
6
$200,000
Subtotal Investment ~ $450,800
OVERALL SUMMARY
Total Return on Investment $445,250
Impact on Seagovia Defense and Banking Operations


3 on a scale of 4 High Threat Risk




INTRUSION DETECTION SYSTEM
Product Name: Check Point RealSecure
Product Usage: Used for protecting Seagovia Information System.
Product Lifespan: 1 Year (license version can be revised)


Unobtrusively analyzes packets of information as they travel across your enterprise network. It
recognizes a wide variety of traffic patterns that indicate hostile activity or misuse of network
resources, including network attacks and malicious Java and ActiveX applets. The
RealSecure attack recognition engine immediately alerts network managers and administrators of
any suspicious activity, logs the session, and can automatically terminate the connection. Events
are classified and summarized in order of priority, enabling you to assess conditions at a glance.
You can play back sessions at any time for further evaluation or for use as criminal evidence [6].

INVESTMENT
Price Number Subtotal
Raw Equipment
Cost
( 32 users with 1
year Total
Security)
$1600/bundle


5 Admins $25,000
Installation (1
day)
$100/person 5 IT Staff $1500
Maintenance $2000 5 IT Staff $10000
Upgrade $50 $50
Subtotal
Investment
~ $36,550
COST SAVINGS
Loss of Data 3%*$5.0*10
6
$150,000
Loss of customer prospect 2%*$5.0*10
6
$100,000
Waste of Human Labor $100 15 staff $1500
Loss of Productivity 4%*$5.0*10
6
$200,000
Subtotal Investment ~ $451,500
OVERALL SUMMARY
Total Return on Investment $414,450

EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY
IDS is one the most important software Seagovia should invest into. Firstly to protect you
network, IDS generates alarms when it detects any kind of intrusive activity on the network. The
mechanism triggers an alarm of two kinds:
a. Anomaly Detection- For detecting insider attacks or account thefts.
b. Misuse Detection- With signature database for every user, any misuse will be monitored right
away.
Also, apart from the network triggering mechanism, the software also makes sure of detecting
any strange activity in the specific spots on:
a. Host Side- Success or failure of an attack is easy to be determined.
b. Network Side- Able to see where the attach is taking place and how much of network has the
attack effected.

Impact on Seagovia Defense and Banking Operations


3 on a scale of 4 High Threat Risk











SACL and DACL

Product Name: Windows SACL and DACL System
Product Usage: Types of Access Control Lists (ACL) for providing system wide auditing and
logging facilities.
Product Lifespan: Same as Windows License


Expenses to Install
INVESTMENT
Price Number Subtotal
Raw Equipment $1000 16 servers $16,000
Cost
Installation (1
day)
$200/person 10 IT Staff $2000
Maintenance $100/month 16 Servers $19,200
Upgrade $0 $0
Subtotal
Investment
~ $37,250
COST SAVINGS
Loss of Data 3%*$5.0*10
6
$150,000
Loss of customer prospect 2%*$5.0*10
6
$100,000
Waste of Human Labor $100 30 staff $3000
Loss of Productivity 4%*$5.0*10
6
$200,000
Subtotal Investment ~ $453,000
OVERALL SUMMARY
Total Return on Investment $415,750

EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY
Not having the above technology will increase the chances of system of network security
breaches, and also not be able to determine the extent and location of network damage. For
Seagovia such a risk is really high because highly confidential information is kept in the system.
If such information is leaked out and the source cannot be determined, then it is a major threat to
national security. This will also increase the time exponentially to locate the epicenter of the
problem and also the time related to rectify it, further causing delay and increasing the threat
connected to it.

Impact on Seagovia Defense and Banking Operations


3 on a scale of 4 High Threat Risk












VIRTURAL PRIVATE NETWORK

Product Name: CISCO VPN
Product Usage: Security through encryption and authentication technologies that protect data
from unauthorized access and attacks.
Product Lifespan: 2 Years (license version can be revised)
















Expenses to Install
INVESTMENT
Price Number Subtotal
Raw Equipment
Cost *
$90,000
Upgrade $100 $100
Subtotal
Investment
~ $90,100
COST SAVINGS
Loss of Data 3%*$5.0*10
6
$150,000
Loss of customer prospect 2%*$5.0*10
6
$100,000
Waste of Human Labor $100 30 staff $3000
Loss of Productivity 4%*$5.0*10
6
$200,000
Subtotal Investment ~ $453,000
OVERALL SUMMARY
Total Return on Investment $419,500


* The software cost included the following for all 500 machines
1. SBC Vendor Managed RLAN
2. SBC DSL, VPN (User Managed)
3. Router Cost
4. Handling, Configuration Cost
5. Circuit Installation, project coordination cost
6. User Managed VPN
7. Remote Access IT Employees (labor) + 1 engineer + 2 consultants


** The cost increases when Seagovia adds more machines @ 10% each year.







EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY
The main advantages a secure VPN provides is cost savings and network scalability. The use of
such a network will help Seagovia protect their data, increase the bandwidth and efficiency of the
network. Having this technology will allow data to be transferred safely through a tunneling
protocol and security procedures. Whereas, not having a secure VPN would not allow Seagovia
employees to send data safely and open the doors to packet sniffing. If such a thing happens,
again a lot of national secured data would be on the loose, resulting in a major disaster.

Impact on Seagovia Defense and Banking Operations


3 on a scale of 4 High Threat Risk












BACK-UP SOFTWARE

Product Name: Nova Backup
Product Usage: Required for providing a back-up to all the stored information at Seagovia
Product Lifespan: 2 Years (license version can be revised)


Feature Set

Ease of Use

Backup/Restore

Help/Documentation

Excellent
Very Good
Good
Fair
Poor


financial expenditure
INVESTMENT
Price Number Subtotal
Raw Equipment
Cost
$45 5 Admins $225
Installation (1
day)
$50/person 5 IT Staff $250
Maintenance $1200 5 Machines $6000
Upgrade $50 $50
Subtotal
Investment
~ $6,525
COST SAVINGS
Loss of Data 3%*$5.0*10
6
$150,000
Loss of customer prospect 2%*$5.0*10
6
$100,000
Waste of Human Labor $100 5 staff $500
Loss of Productivity 4%*$5.0*10
6
$200,000
Subtotal Investment ~ $450,500
OVERALL SUMMARY
Total Return on Investment $443,975



EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY
A back-up software helps users maintain the data they have. Seagovia stores a lot of information
which is highly classified and prone to attacks (leaks). Also, there can be certain incidents where
someone (insider or outsider) might successfully erase the data stores. So, it is suggested to have
a back-up of the entire data at Seagovia by secure software. This way, if incase if the data is
erased, a back-up would be a hand and would save a lot of time and effort involved in retrieving
the data.
Impact on Seagovia Defense and Banking Operations


3 on a scale of 4 High Threat Risk




BIOMETRIC

Product Name: Aware, Inc. Fingerprint Readers
Product Usage: Fingerprint and facial image auto-capture
Image QA and compliance assurance
Certified 1:1 fingerprint matching
Standard-compliant data formatting and validation
Service-oriented workflow server platform
Product Lifespan: 2 Years (license version can be revised)





financial expenditure
INVESTMENT
Price Number Subtotal
Raw Equipment
Cost
$800
($700 Software
$100 Reader)
16 Servers
649 Machines
10 Sensitive
Office Rooms
$12,800
$64,900
$1000

$65,900
Installation (1
day)
$100 5 IT Staff $500
Maintenance $100 15 Servers $18,000
Upgrade $50 $50
Subtotal
Investment
~ $84,400
COST SAVINGS
Loss of Data 3%*$5.0*10
6
$150,000
Loss of customer prospect 2%*$5.0*10
6
$100,000
Waste of Human Labor $200 10 staff $2000
Loss of Productivity 4%*$5.0*10
6
$200,000
Subtotal Investment ~ $452,000
OVERALL SUMMARY
Total Return on Investment $367,600

*We assume that 10% of the machines contain sensitive data that only admin or an employee
with high level clearance can access it.


EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY
Insecure authorization in banking or high-intelligence organizations can be catastrophic with loss
of money, confidential information and compromised data integrity. The above technology
provides a sure shot way to prevent any unauthorized individual to get access to an unauthorized
place. The above technology cannot be shared or copied, as It is extremely difficult to duplicate
any individuals identity in terms of eyes, face or finger prints. Hence, this way only special (high
level) employees can gain access to special information centers, thereby reducing the risk of
information getting out of the organization premises. The rest depends on Seagovia to allocate
biometrics to as many employees as it wants.

Impact on Seagovia Defense and Banking Operations


3 on a scale of 4 High Threat Risk



SSL VPN Cryptography
Product Name: OvisGate SSL VPN
Product Usage: A VPN Software that utilizes SSL technology, giving you the ability to easily
access a foreign network (e.g. workplace, home, school, etc.) from the web browser [10].
Product Lifespan: 2 Years (license version can be revised)





financial expenditure
INVESTMENT
Price Number Subtotal
Raw Equipment
Cost
$1000 5 Admins $5000
Installation (1
day)
$100/person 10 IT Staff $1000
Maintenance $100/month 5 Machines $6000
Upgrade $50 $50
Subtotal
Investment
~ $12,050
COST SAVINGS
Loss of Data 3%*$5.0*10
6
$150,000
Loss of customer prospect 2%*$5.0*10
6
$100,000
Waste of Human Labor $100 5 staff $500
Loss of Productivity 4%*$5.0*10
6
$200,000
Subtotal Investment ~ $450,500
OVERALL SUMMARY
Total Return on Investment $438,450


EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY
VPN allows remote users to securely access corporate information from safe locations. The
above technology allows Seagovia users to access highly confidential information from safe
places so that such information is not accessible to all. This way Seagovia can ensure that only
highly classified employees get to share information which otherwise is not required to be
accessed by lower level employees within Seagovia. The catch in using this technology is that
Seagovia can easily setup secure Extranet for its employees while transmitting information. This
way the authentication and encryption on the network will not allow external users (insiders and
outsiders) to breach it.
Impact on Seagovia Defense and Banking Operations


3 on a scale of 4 High Threat Risk


SECURE EMAIL
Product Name: ZSentry
Product Usage: Secure email service
Product Lifespan: 1 Years (license version can be revised)

financial expenditure
INVESTMENT
Price Number Subtotal
Raw Equipment
Cost
$80 16 Servers $1,280
Installation (1
day)
$100/person 5 IT Staff $500
Maintenance $100/month 15 Servers $18000
Upgrade $50 $50
Subtotal
Investment
~ $19,830
COST SAVINGS
Loss of Data 3%*$5.0*10
6
$150,000
Loss of customer prospect 2%*$5.0*10
6
$100,000
Waste of Human Labor $100 5 staff $500
Loss of Productivity 4%*$5.0*10
6
$200,000
Subtotal Investment ~ $450,500
OVERALL SUMMARY
Total Return on Investment $430,670

EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY
This technology is used for maintaining a secured email service within any organization. Its main
use is to ensure that any information shared via email is secured. It uses a
secure loginuses authentication, encryption and proven anti-phishing solution.
sign, encrypt and send service. Hence if Seagovia incorporates and invests in this technology it
will save them the time and effort to protect their mails, share classified information without
having the concern of information getting across to wrong parties. Also, it will help in sharing
confidential bank records between various individuals keeping external identities off record. All
this saves time and effort involved if any leak of information takes place through email. The
probability of information breach through email is not high, but since Seagovia deals in National
Information, it is important to not to leave any corner un-attended.
Impact on Seagovia Defense and Banking Operations


3 on a scale of 4 High Threat Risk









ACTIVE DIRECTORY
Product Name: Active Directory Service by MS
Product Usage:
Product Lifespan: 1 Years (license version can be revised)

financial expenditure [12]
INVESTMENT
Price Number Subtotal
Raw Equipment
Cost
$1000 5 Admins $5000
Installation (1
day)
$50 5 IT Staff $250
Maintenance $100 5 Machines $6000
Upgrade $50 $50
Subtotal
Investment
~ $11,300
COST SAVINGS
Loss of Data 3%*$5.0*10
6
$150,000
Loss of customer prospect 2%*$5.0*10
6
$100,000
Waste of Human Labor $100 5 staff $500
Loss of Productivity 4%*$5.0*10
6
$200,000
Subtotal Investment ~ $450,500
OVERALL SUMMARY
Total Return on Investment $439,200




EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY
Following are the advantages Active Directory Offers:
1. Full integrated security in the form of user logins and cryptographic information.
2. Easy to administer the group policies and permissions.
3. Easy to provide scalability, flexibility and extendibility in during data up-gradation.
4. Supports integration of other directory services also.
5. Supports multiple authentication protocols.
All the above factors show that data security is a major thing to control. At Seagovia, national
data is stored and has to be protected in from breach. The cost associated with it is catastrophic
and cannot be calculated. The only solution our consulting team suggest is to adopt this
technology.
Impact on Seagovia Defense and Banking Operations


3 on a scale of 4 High Threat Risk
















SELF ENCRYPTING DRIVE
Product Name: Seagate Momentus FDE Self Encrypting Drive
Product Lifespan: 1 Years (license version can be revised)

financial expenditure
INVESTMENT
Price Number Subtotal
Raw Equipment
Cost
$130* 500 $65,000
Maintenance $0 $0
Upgrade $50 $50
Subtotal
Investment
~ $65,050
COST SAVINGS
Loss of Data 3%*$5.0*10
6
$150,000
Loss of customer prospect 2%*$5.0*10
6
$100,000
Waste of Human Labor $100 5 staff $500
Loss of Productivity 4%*$5.0*10
6
$200,000
Subtotal Investment ~ $450,500
OVERALL SUMMARY
Total Return on Investment $385,450

*Including Installation Cost




EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY
We already suggested a cryptography software for your organizations information systems. But
we found another area of concern. All the employees within Seagovia have to submit their data
to the cryptography software to enable data protection. For all the data excluding the encrypted
data (users own data on his machine) is also vulnerable for breach or information theft. Hence,
we advice a self encrypting hard drive to make sure that all data present in the users machine is
encrypted automatically as the user stores data in it. Hence we also close the gates for security
breach through this channel.
Bank accounts, usernames, passwords, etc will also be encrypted and they key to all that data
would be only with the user of the machine.
Impact on Seagovia Defense and Banking Operations


3 on a scale of 4 High Threat Risk













CONFIGURATION/PATCH MANAGEMENT
Product Name: GFI Languard
Product Usage: GFI LANguard is a complete network vulnerability management solution that
allows you to scan, detect, assess and remediate security vulnerabilities and provides patch
management functionality [14].
Product Lifespan: 1 Years (license version can be revised)

financial expenditure
INVESTMENT
Price Number Subtotal
Raw Equipment
Cost
$380* 5 Admins $1900
Installation (1
day)
$100/person 5 IT Staff $500
Maintenance $100 5 Machines $6000
Upgrade $50 $50
Subtotal
Investment
~ $8,450
COST SAVINGS
Loss of Data 3%*$5.0*10
6
$150,000
Loss of customer prospect 2%*$5.0*10
6
$100,000
Waste of Human Labor $100 5 staff $500
Loss of Productivity 4%*$5.0*10
6
$200,000
Subtotal Investment ~ $450,500
OVERALL SUMMARY
Total Return on Investment $442,050

*Including 2 year maintenance.


EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY
Patch management software automatically protects the integrity of data. With the above
mentioned technology- deployment of patches to ISA servers machines, allowing administrator
to specify required updates, data migration and export/import features, reporting capabilities to
allow administrator to monitor updated network activity, etc are easily implementable. All these
above advantages add a layer of protection to the update activity within the network. Since out
previous advised technologies are keeping a track of all the updates occurring within the
network, this technology enables the administrator to monitor and implement updates which are
required for the network. There can be instances where a patch update might be a kind of a
breach. So to ensure that all is monitored correctly, this technology provides the much needed
admin facilities required to protect the data.
Impact on Seagovia Defense and Banking Operations


3 on a scale of 4 High Threat Risk









REFERENCES
Return on Security Investment- Interpreting ROSI
http://blogs.globalcrossing.com/?q=content/rosi-return-security-investment
Office Information
http://en.wikipedia.org/wiki/Prime_Minister's_Office_(Singapore)
Salaries of Government Employees
http://www.payscale.com/research/US/People_Employed_by_the_Government/Salary
Antivirus Software
http://anti-virus-software-review.toptenreviews.com/ppc-index.html?cmpid=4637
Antivirus Software Installation
http://www.brokelyn.com/computer-repair-in-brooklyn/
http://www.answers.com/license+renewal+fee+of+antivirus+software
Intrusion Detection System
http://www.timberlinetechnologies.com/products/intrusiondtct.html
http://www.ciscopress.com/articles/article.asp?p=25334
CISCO VPN Cost
http://www.cisco.com/global/EMEA/ciscoitatwork/pdf/it-at-work-cisco-access-vpn.pdf
Back-up Software
http://data-backup-software-review.toptenreviews.com/
Biometric
http://www.findbiometrics.com/middleware-software/
SSL VPN
http://www.ovislink.com/newovislink/products/VPN/SSL/SSL.asp
http://download.cnet.com/OvisGate-SSL-VPN-Server/3000-7240_4-10294896.html
ZSentry
http://zsentry.com/how_zmail.htm
Active Directory License Cost
http://www.jijitechnologies.com/jiji-active-directory-reports-reporting-tools-adr-pricing.aspx
Self Encrypting Drive
http://www.seagate.com/staticfiles/support/sedqual/MB595_1_0905US_SelfQual.pdf
Patch management Software
http://www.windowsecurity.com/software/Patch-Management/
http://www.gfi.com/whitepapers/patch-management.pdf