Spam, baseline and ROI calculation

We know that anti-spam (and for some, AV) is a necessary baseline.
(I’ll avoid using the ‘diligence’ words for now.)

But here is a spreadsheet that ‘does the numbers’.

As I’ve said before, the ROI issue isn’t about justifying the project – the normal B-school way of looking at at things. Its about ‘choosing between’. That’s what this spread sheet purports to be doing. The reality is subtly different.
In doing so, it illustrates all that can go wrong with this approach. Basically you are ‘buying in‘ to someone else’s way of looking at the analysis. This is essentially the trick that sales-droids use. They get you to accept their world view, and once you do accepting that their product is the ‘right one‘ naturally follows.

In a way, this is like the conclusion to the Sapir-Whorf hypothesis about linguistic determinism.
“Put simply, the hypothesis argues that the nature of a particular language influences the habitual thought of its speakers. Different patterns of language yield different patterns of thought.”

That wikipedia article also has some references to the use of language as determinism in fiction that are vary pertinent.

Elsewhere I find: “A well-known saying by Alan Perlis states that ‘a language that doesn’t affect the way you think about programming is not worth knowing‘. he’s talking about computer languages, but it applies to natural languages – and of course tools – software tools like spreadsheets, word processors, UML modelers, and things like Photoshop.
So how is this relevant?

There in the spreadsheet are the four categories:

  • Difficulty
  • Investment
  • Capability
  • Expandability

No-one says quite what they mean.
The Initial/Daily/Ongoing might appear to clarify, but when you work through it can also add to the confusion.

Is the investment in time or money? Well, if time is money, how are we calculating the equivalence?
Right, another sheet, grade of techie vs bill-out rate.
Well what about things like cost per server, cost per seat? cost per bandwidth?

…. and so on …

How is ‘daily’ different from ‘ongoing’?

…. and so on …

Are these the only categories? Would you break things down more specifically? Would you use other or more categories?
Then there’s the weighting values. Do you agree with them? Are you going to accept other people guiding the judgment, making it appear that you are making the decisions, when in reality they have made all the important structural decisions?
The answer from the numbers-people (you know who you are!) is that it is easy enough to add another sheet, insert anotter row or column, alter the weightings … And indeed it is. For them. They think in those terms – they cannot do otherwise. “When the only tool you have is a hammer you view every problem as a nail“.
But implicit in this is that you accept that culture and its conclusions – that the number (and spreadsheet) are “God”.

In the closing of the First World War, Kipling wrote a poem that poked fun at the established “old wise saying” that many people used to justify action while avoiding really thinking about matters. I see the obsessive use of tools like spreadsheets and the numbers they give – hidden by the arbitrary assumptions of the model – as a similar phenomena.
So lets look at another way.
How would you choose your AV product?

  • Market Dominance
    As in ‘you never get fired for buying IBM’ updated to the modern world.
    Certainly when the Big Name auditors come along to do your compliance audit they will check “AV” off on their list.
  • Magazine Reviews
    There are two approaches here. You can ‘blindly’ accept the ‘Editors Choice‘, which is really no different from accepting how they formulated their spreadsheet, assigned weightings and values. Alternatively you can read lots of reviews and form your own impression.
  • Advice of Peers
    As in ‘this worked for me‘ or ‘I had lots of problems with that one‘.
    In some ways this is like reading lots of reviews, but with a more personal and ‘real world’ feel to it. You can also seek out someone who has a set-up similar to yours so that the context of the advice is more meaningful.
  • Corporate Standard
    Maybe you don’t have a choice. (I recall a site where ‘policy’ said that all IBM computers had to be in the raised-floor room. It was probably originally justified by insurance, UPS, HVAC issues. However when I audited the site I found a stack of IBM laptops there that had never been used.) Maybe the security is out-sourced or somehow ‘managed’ and details are outside your control. Perhaps there is a “Master Purchasing Agreement” with a specific vendor and if that vendor has a product that is pertinent you get stuck with it.

So how do you make the decisions – not the “decision to” but the “decision which”?

About the author

Security Evangelist

Leave a Reply