This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

SAMM - Strategy & Metrics - 3

Revision as of 00:34, 20 April 2015 by David Fern (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
250px-OpenSAMM_logo.png For the latest project news and information,
join the mailing list and visit the OpenSAMM website.

SM1.png SM2.png SM3.png


Strategy & Metrics - 3

Objective: Align security expenditure with relevant business indicators and asset value


  • Information to make informed case-by-case decisions on security expenditures
  • Estimates of past loss due to security issues
  • Per-project consideration of security expense versus loss potential
  • Industry-wide due diligence with regard to security

Add’l Success Metrics

  • >80% of projects reporting security costs in past 3 months
  • >1 industry-wide cost comparison in past 1 year
  • >1 historic security spend evaluation in past 1 year

Add’l Costs

  • Buildout or license industry intelligence on security programs
  • Program overhead from cost estimation, tracking, and evaluation

Add’l Personnel

  • Architects (1 days/yr)
  • Managers (1 days/yr)
  • Business Owners (1 days/yr)
  • Security Auditor (1 days/yr)

Related Levels

  • Vulnerability Management - 1


A. Conduct periodic industry-wide cost comparisons

Research and gather information about security costs from intra-industry communication forums, business analyst and consulting firms, or other external sources. In particular, there are a few key factors that need to be identified.

First, use collected information to identify the average amount of security effort being applied by similar types of organizations in your industry. This can be done either top-down from estimates of total percentage of budget, revenue, etc. or it can be done bottom-up by identifying security-related activities that are considered normal for your type of organization. Overall, this can be hard to gauge for certain industries, so collect information from as many relevant sources as are accessible.

The next goal of researching security costs is to determine if there are potential cost savings on third-party security products and services that your organization currently uses. When weighing the decision of switching vendors, account for hidden costs such as retraining staff or other program overhead.

Overall, these cost-comparison exercises should be conducted at least annually prior to the subsequent assurance program strategy session. Comparison information should be presented to stakeholders in order to better align the assurance program with the business.

B. Collect metrics for historic security spend

Collect project-specific information on the cost of past security incidents. For instance, time and money spent in cleaning up a breach, monetary loss from system outages, fines and fees to regulatory agencies, project-specific one-off security expenditures for tools or services, etc.

Using the application risk categories and the respective prescribed assurance program roadmaps for each, a baseline security cost for each application can be initially estimated from the costs associated with the corresponding risk category.

Combine the application-specific cost information with the general cost model based on risk category, and then evaluate projects for outliers, i.e. sums disproportionate to the risk rating. These indicate either an error in risk evaluation/classification or the necessity to tune the organization’s assurance program to address root causes for security cost more effectively.

The tracking of security spend per project should be done quarterly at the assurance program strategy session, and the information should be reviewed and evaluated by stakeholders at least annually. Outliers and other unforeseen costs should be discussed for potential affect on assurance program roadmap.

Additional Resources