Budgeting of application security measures for mitigating risks of data breach incidents

CISOs are responsible in making decisions on “how much money the organization needs to budget for application security”. Budgeting should focus on risk mitigation criteria rather than other factors such as percentage of the overall Information Technology (IT) budget and year over year budget allocation for applications security as a fraction of overall information security budget that includes compliance and operational-governance costs. The main responsibilities of CISOs in budgeting include:

  • Estimate of the impact of the costs incurred in the event of a security incident
  • Quantitative risk calculation of the annual cost for losses due to a security incident
  • Optimization of the security costs in relation to cost of incidents and cost of security measures
  • The return of security investment in application security measures
  • Analyzing the risks of data breach incidents

There are two important factors to determine the risk of a security incident: these are the negative impact caused by the security incident and the likelihood (probability) of the incident. To obtain an estimate of the impact of the costs incurred in the event of a security incident, the key factor is the ability to ascertain the costs incurred due to the security incident. Examples of negative impacts to an organization because of a security incident might include:

  • Reputation loss such as, in the case of publicly traded company, a drop in stock price as consequence of announced security breach;
  • Loss of revenue such as in the case of denial of service to a site that sells services or goods to clients and customers
  • Loss of data that is considered an asset for the company such as users’ confidential data, Personal Identifiable Information (PII), authentication data, and trading secrets/intellectual property data;
  • Inability to deliver a statutory service to citizens;
  • Adverse impact on individuals whose data has been exposed.

Source :
https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf