ROI figures are meaningless: Bruce Schneier

Summary:Return on investment figures, which are commonly used by vendors to justify the value of their products, are meaningless -- especially when it comes to security, claims Bruce Schneier.

Return on investment figures, which are commonly used by vendors to justify the value of their products, are meaningless -- especially when it comes to security, claims Bruce Schneier.

In his opening keynote at linux.conf.au last month, the security guru called ROI figures "complete bullshit". In a video interview, Schneier explained to ZDNet.com.au why these cost justifications make no sense.

"If you ever see one of those ROI models, what they do is measure the cost of an attack and then multiply by the probability of an attack to give you how much money you should spend.

"This fails when you have very, very rare and very, very expensive events because you are effectively multiplying zero by infinity. If you have taken any infinity theory, which I don't recommend, multiplying zero by infinity gives you every number," said Schneier.

He explained that the amount spent on a product can change significantly by simply playing with the equation.

"If the chance of you being attacked is one in a million and I change it to one in two million ... I have halved the amount of money you should spend.

"Maybe your reputation is worth [US]$20 million, or maybe it is only worth [US]$10 million, or maybe it is worth [US]$40 million. Suddenly I can completely perturb your budget -- because the numbers are so big and so small that minor changes ... make huge changes to the product.

"I can make an ROI model say whatever I want. I could justify or not justify anything based on these very, very rare and very, very damaging events," he said.

Schneier also explained why many "bad" security products outsell "good" security products.

"We are in a market where the average consumer -- even a savvy IT consumer -- can't tell the difference between a good product and a bad product.

"It is easy for functional requirements -- if you want to know if your word processor does italics, you just check if it does italics. Functional requirements are easy to test. It is the non-functional requirements that all end in a 'y' -- security, reliability, useability.

"So most people, companies, organisations, can't tell the difference between a good product and a bad product and they are forced to rely on the seller. In those markets -- they're called Lemon's markets -- bad products drive out good products because bad products are cheaper," he added.

Topics: Security, Linux, Open Source

About

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

About

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.