Internet security: you don't get what you pay for.

• Author: Millman, Gregory J.
• Position: Special section

Hackers, spies, worms and viruses get plenty of press, but what do you get when you invest in protecting yourself against them? Not much, it seems. Even security consultants have a hard time trying to make a business case for investing in security.

No one has really measured what's at risk, how big the risk is and what it is really worth to get rid of the risk. "Security is probably the last domain of business administration that has not agreed to submit itself to serious quantitative scrutiny," says Andrew Jaquith, program director at the security consulting firm @stake. Jacquith and his co-authors noted in a recent article that the average firm spends 0.047 percent of its revenue on security. But the scarcity of data and reluctance of firms to share information about security makes it hard to say where, exactly, that security investment goes, and what precisely it is accomplishing.

When they put on their marketing hats, security consultants and vendors understandably tend to say that firms are not spending enough, and to point to the increasing number and frequency of attacks, especially from the Internet. Yet a 2003 survey by the Computer Security Institute indicates that it's wise to take these warnings with a grain of salt.

The Institute polled 530 firms and found that while Internet attacks had increased, overall financial losses from both internal and external attacks had plunged by more than half from last year's level. Financial fraud losses were down even more, from over $100 million to less than $10 million. The only area of loss that seemed to have increased was from so-called "denial of service" attacks, estimated to have cost the 530 firms around $65 million, or an average of $122,642 apiece.

A consultant in the security practice of a Big Four audit firm, who asked not to be identified, says, "Security is still more folk art than science. We have no strong security measurements, no historical data, we can't perform actuarial calculations and we're in the dark in terms of measuring the impact on business."

Any loss is a bad loss, and one would prefer to prevent every one, but probably not at any price. The rub is--what price makes business sense?

Ross Anderson, a reader in security engineering at Cambridge University in Britain and an authority in the economics of security, bluntly declares, "The level of the threat is widely overestimated. The best information we have suggests that the return on security investments, while not...