Model to measure return on investment in computer and information security - ROSI

The following work tries to propose across a quantitative correlation investigation, a model to measure the return on the investment in IT security ROSI in the SMEs of Colombia, allowing hereby that the managers, leaders of technology and security, should have the necessary tools to determine in an objective way how to prioritize the investments, thinking always about the economic and operative well-being of the organization.

An important variable of this investigation is the understanding of the state in which they find the SMEs of Colombia in topics of IT security and of the information, since these topics are new due to the fact that scarcely they are starting listening to these terms, thanks to the quantity of news that relates to "Hackers" or losses of corporate information. In the city of Cali there is a great quantity of SMEs that are very focused on the development of their service or main function and do not have inside their radar a topic so delicate as it is that of the IT security and of the information.

Likewise, the aim is to make visible the security models that SMEs can use into account the advantages and disadvantages of their application. Although it is not mandatory for legally constituted organizations to implement security controls, there is a corporate responsibility for the delivery of an excellent product or service, which is only guaranteed if the information assets are correctly safeguarded.

Hidden and intangible costs generated due to lack of investment or planning in security investments are also presented. This allows SMEs to be aware that they can be victims of computer criminals or that losses can be generated due to the lack of training of their staff and all this due to the lack of implementation of controls, which ensure proper management on issues technological.