Forecasting for Return on Security Information Investment: New Approach on Trends in Intrusion Detection and Unwanted Internet Traffic

The methods used to determine the return on security investment (ROSI) concern historic incidents´ analysis, cost avoidance resulting from resistance, recognition and reconstitution efforts. Although some ROSI methods consider security incidents´ likelihood, they don´t approach studies about forecasts and trends of incidents or unwanted events. Likewise other sciences (seismology, meteorology, vulcanology, and economics) in which extent efforts are done for forecasts, information technology and information security may analyze tendencies, as Internet traffic and intrusion detection trends. The aim of this paper is to show a forecasting approach which could be aggregated to common ROSI methods. In this study, forecasting approach is based on two trend techniques: moving averages and Fibonacci sequence - for security incidents with intrusion detection system (IDS) and unwanted Internet traffic. Tests applied over two datasets (DARPA, KDD), with an IDS, showed that the employed techniques define incidents trends; therefore, forecasting approach may be complementary to ROSI methods.