Applying ROI Analysis to Support SOA Information Security Investment Decisions

Offering functionality and data in a secure manner poses significant challenges for Government enterprises that are embracing approaches, such as Service- Oriented Architectures (SOA), especially when there is a desire to promote information sharing across functional, organizational, or Community of Interest (COI) boundaries. Many Government organizations evaluate Implementation of security measures against the risk that a particular vulnerability will be exploited by a particular threat. Informed Information security Investment decisions are made based upon analysis of cost, benefit, schedule, performance, and risk tradeoffs. The Investment decision-making space for Information security In a web-based, service-oriented environment is explored in this paper, and methods for evaluating operational, economic and performance implications are considered. This paper discusses the value and practicality of applying Return-on-Investment (ROI) analysis for Government information security investment decision-making, especially when information sharing is a key success driver. Recommendations are based upon preliminary findings of a MITRE Mission-Oriented Investigation and Experimentation (MOIE) effort related to SOA Performance Measures Expression In Performance-Based Acquisition (PBA) Vehicles.