Measure Information Security Effectiveness — Information Security Economics 103

This is the third in a series of reports providing new methods and guidance for the financial management of information security. For many companies, security spending and budgeting is a restatement of what was spent last year and is often represented as a percentage of total IT spending. Most organizations would benefit from a more practical method of budgeting that segments security spending into one of the three R's: readiness, response, and recovery. Doing this more accurately categorizes security spending and can help security and risk (S&R) pros allocate security resources more accurately and efficiently. For example, if a security team spends the correct amount of resources on readiness, the resources needed for response and recovery should be commensurably lower. This report explains how measuring the changes in spending for these three categories can help determine the effectiveness of your security program.