The topic of ROI for Physical Security expenditures is extremely complicated and not easily quantifiable, so we will only briefly discuss some basic points and scenarios to consider as you may wish to dig a lot deeper in your own corporate environment to come up with a specific game plan.
Security is often seen as a cost that yields no direct benefit to an organization. This point of view if not accurate, in order to dispel the myth, we must be able as Security Practitioners to communicate the value of the work that we do on a day to day basis. For example, having security cameras, guards with guard dogs, access control systems at all major points of entry internally and externally to the facilities can be a large expenditure, but what value does it produce or how much ROI is the company getting?
Let’s look at a few examples. Let’s take the case of a worker injured on the job, the average cost of a worker’s compensation claim is hard to determine as a general average it varies quite a bit by state, for example Florida has a very high rate of fraud so the premiums and the claims are much higher plus if it’s in a large city like Miami where the cost of living is also high the numbers will be quite large. The cost also varies by type of injury.
If overtime must be paid or another employee hired while the one that was injured recovers that will also bear additional costs, the increased cost of premiums resulting from the claim must also be weighed in. Very broadly speaking a single workers compensation claim in the US will cost a company generally at least $5-$10K. That being the case does a $3-$5K camera system seem like a good value?
Let’s look at another example, suppose someone where to break into your company and steal the laptop for the president of the company? What is the financial impact of that? Well, depending on how locked down and thorough your security controls the effect could either be devastating or practically zero. Why take the risk however?
What about the possibility of someone breaking into a file cabinet in the accounting, finance, or executive’s offices? What would be the impact of that? How much embarrassment would it cost the company if the information were leaked? What if the competitors of the firm got hold of the data? What would be the outcome financially if trade secrets or a competitive market advantage were put at risk?
All of the above is some of the hard questions that we as cyber security practitioners must be able to throw back in our defense when we are asking for budgetary expenses in physical security. What is the impact if so and so happened? What would it cost us if this or that was taken, stolen, revealed, happened-versus the cost of implementing a physical security control.
Let me ask one final rhetorical question-is a cybersecurity expenditure of $5 or $10 Million a bargain to protect the worth of a $4, $5 or $10 Billion enterprise? Put it in those terms and it’s obvious that the work that we do adds quite a bit a value and saves the company money and in some rare cases may actually prevent the firm from going out of business altogether from a potential breach.