Let's start by saying that you will have to do (at least) two calculations 1) Return On Security Investment (ROSI): This will focus on security incidences, hacking, etc... (Some formulas are included in "Information Security Management Handbook, 4th Edition" Tipton & Krause) 2) The money that will be saved on maintenance and general development costs. I will only discuss the second. It is estimated that fixing software bugs costs more than eight times as much to fix in the post-release/maintenance phase as they do in the design phase. All security anomalies are classified as "bugs", because it is not how the software is supposed to behave. By implementing secure/best-practice coding standards, investing in developer education and software process (all of which are good secure coding practices), you are essentially going to improve the overall quality of your code, not just the security aspect. Look through your database of past software projects and determine how much developer time (read: Money) is being spent on maintenance, bug fixes and security fixes. Look at the classifications of these anomalies and make an informed decision of what you can expect to avoid during the next release or project. You can get a rough estimate of the savings based on that. Good Luck, Ryan ********** * Pablowe - Writing the software that lets you write software * http://www.pablowe.net/ ********** > Hello > > I am looking for methods to calculate return on investment in secure > software engineering practices. Since it is impossible to create > absolutely secure software (let alone define what is absolutely secure) > it would be good to know how much to spend for developer education, > code reviews and so on, to reach some kind of break-even point. > > I found many sites on the net which cover ROI to the application > security, but none dedicated to the finance of the secure software > engineering. If you know some links, please, share your knowledge. > > Thanks > > -- > Artem Frolov <frolovat_private>
This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 14:52:07 PST