IT is crucial for any business. Security can help deliver business solutions at a lower cost, but it may also be seen as an expense and inconvenience. It is important that a security manager work with IT and business management to establish a culture of security in which security is considered a standard way of doing business. One way to do this is to present the ROI for security projects and demonstrate that the security initiative can enable the company to avoid a greater loss due to a security breach. It is especially important to demonstrate the value of security projects when a company is working to cut costs, as is often the case.
Consider the case of a security manager who thinks it is important to invest in a Web application firewall to protect several business-critical applications that link to the Internet. A Web application firewall will not scale to protect all of the company’s Web applications, but it can log activities and block specific malicious attacks against some key applications. The security manager knows that about 80% of all Web applications on the Internet are vulnerable to some exploit. 
On the basis of this information and other calculations, the manager believes there is a 40% likelihood of one of the Web applications with sensitive data being breached in the next year. Based on the 2008 CSI Computer Crime and Security Survey , an average incident costs a company more than $500,000. If nothing else changes, the manager expects the annual loss to remain the same in the future. He knows that his company is attempting to reduce the overall IT budget this year, but he feels this project is a justified expense given the risks he has identified.
 Moscaritolo, A. (2009). Web apps account for 80 percent of Internet vulnerabilities. Retrieved from http://www.scmagazineus.com/Web-apps-account-for-80-percent-of-internet-vulnerabilities/article/129027/
 Computer security institute. (n.d.). Retrieved on July 14, 2009, from http://gocsi.com/
As a group, discuss how to build an ROI business case that the security manager can present to the business managers of the application. The case should show that over 5 years it will be more cost effective to spend $300,000 for a software firewall and $50,000 as annual maintenance to avoid the risk of important Web applications being compromised.
As a group, submit a report that responds to the following questions:
How does a risk analysis fit into developing an ROI case for important security initiatives? Explain how using an ROI and business language helps convey the security risks better to business managers.