Network security is one of the hardest technology categories for which to create an ROI analysis. The fundamental problem is determining the value of preventing security breaches, which constitutes the "savings" in an ROI calculation of savings divided by cost (Alexander 2008). In this paper, we will first present the issues in the case study 'Silver Mines' and present solutions based on Return on Investment with the related costs estimates for the company's security problems.
Discussion
Cost for network security products range from $25 per node in small organizations up to about $85 per node for larger organizations (Axelrod 2004). Product pricing will vary by vendor and by country. With network security Common Investments include:
Firewalls
Intrusion-detection systems
Monitoring tools
Authentication solutions (such as RSA's SecureID)
Web filter/content filtering system
Anti-virus software
Staff security specialists (or consultants to provide the necessary ongoing maintenance of security products)
24-7 monitoring service
For Silver Mines, the first step was to determine the context for the risk assessment. Being in the mining industry sector places the company at the less risky end of the spectrum, and consequently less likely to be specifically targeted. Silver Star Mines is part of a large organization and hence is subject to legal requirements for occupational health and safety and is answerable to its shareholders. Thus management decided that it wished to accept only moderate or lower risks in general. The boundaries for this risk assessment were specified to include only the systems under the direct control of the Silver Star Mine operations. This excluded the wider company intranet, its central servers, and its Internet gateway (Whitman 2005). This assessment is sponsored by Silver Star's IT and engineering managers, with results to be reported to the company board (Pieprzyk et al 2000). The assessment would use the process and ratings described in the risk table.
Nodes control and monitor the core mining operations of the company and enable it to operate safely and efficiently and, most crucially, to generate revenue. Some of these systems also maintain the records required by law, which are regularly inspected by the government agencies responsible for the mining industry. Any failure to create, preserve, and produce on demand these records would expose the company to fines and other legal sanctions. Hence, these systems were listed as the first key asset (Vacca 2009).
A number of the IT managers indicated that a large amount of critical data was stored on various file servers either in individual files or in databases. They identified the importance or the integrity of these data to the company. Some of these data were generated automatically by applications. Other data were created by employees using common office applications. Some of this needed be available for audits by government agencies. There were also data on production and operational results, contracts and tendering, personnel, application backups, operational and capital expenditure, mine survey and planning, and exploratory drilling. Collectively, the integrity of stored data was identified as the second key ...