Comsec Consulting has launched the Security Cost Analysis Tool (S.C.A. Tool) to assist in the identification and assessment of the value of security controls and countermeasure investments.

Launched as an additional feature of Comsec's IT security cost management approach, the S.C.A. Tool has been created specifically to enable organisations to identify their overall expenditure on security and to establish whether this investment is effectively meeting their business security requirements.

It gathers the information needed to calculate security costs and risk value, within three primary areas: people and processes, technology and physical controls. The database behind the tool allows analysis of 560 individual parameters which affect over 50 different security control groups, as well as identifying 19 different types of enterprise breach and fraud abuse scenarios.

Stuart Okin, managing director of Comsec Consulting UK, said: “In the process of developing our S.C.A. Tool, we've been surprised by the number of companies who simply have no idea of their security spend.

“With such scrutiny surrounding every area of an enterprise's operation, defining this cost and of course the associated value is vital. Our research has revealed that security leaders estimate that they could be spending between 0.01 per cent to a staggering six per cent of revenue on security, when considering information and physical security, as well as fraud detection, prevention and investigation.

“Without doubt getting a clear visibility over spend is important to all business, as well as understanding the risk and compliance requirements. Utilising this tool, Comsec is able to deliver clients with a programme of change, which allows them to focus their finances and efforts on accurate security controls and countermeasures, helping them manage risk more efficiently.”

Alan Jenkins, director of security risk management and chief security officer (UK & Ireland) at CSC, said: “In this economically challenging time, it is critical that applications and solutions are being utilised effectively, but also that security-related costs are being managed proportionate to the business' risk appetite. We must champion 'value-at-risk' as part of our security support to business."