Applying ROI analysis to support SOA information security investment decisions

Offering functionality and data in a secure manner poses significant challenges for Government enterprises that are embracing approaches, such as Service-Oriented Architectures (SOA), especially when there is a desire to promote information sharing across functional, organizational, or Community of Interest (CO-1) boundaries. Many Government organizations evaluate implementation of security measures against the risk that a particular vulnerability will be exploited by a particular threat. Informed information security investment decisions are made based upon analysis of cost, benefit, schedule, performance, and risk tradeoffs. The investment decision-making spacefor information security in a web-based, service-oriented environment is explored in this paper, and methods for evaluating operational, economic and performance implications are considered This paper discusses the value and practicality of applying Return-on-Investment (ROJ) analysis for Government information security investment decision-making, especially when information sharing is a key success driver. Recommendations are based upon preliminary findings of a MITRE Mission-Oriented Investigation and Experimentation (MOJE) effort related to SOA Performance Measures Expression in PerformanceBased Acquisition (PBA) Vehicles.