The value of security
Of course, in a corporate environment, you would want to be able to demonstrate the ROI of any investment. Investing in security generally leads to a very difficult demonstration of ROI as security will generally not bring an extra revenue to your organization, but mitigate the risks of loss. But even evaluating the loss risk is generally impossible in our environment.
In a traditional environment, you would demonstrate the interest of a security investment using the annualized loss expectancy (ALE) method: calculate the cost of a security incident in both tangibles like time and money, and intangibles like reputation and competitive advantage, multiply that by the chance the incident will occur in a year, and that tells you how much you should spend to mitigate the risk.
In our environment, there is generally not enough available data to evaluate the probability of a security failure to occur, and the potential cost of such security failure. For these reasons, investing in security, is often linked with an anticipation of risks, and an anticipation of the associated potential costs based on conviction rather than on hard data.
The latest example we have is the signature by Infineon and Renesas of a license of Cryptography Research IP covering anti DPA (Differential Power Analysis) and anti SPA (Simple Power Analysis) measures. Infineon and Renesas can't be considered as irrational companies, nevertheless they decided to establish a differentiation factor from their competitors by offering an additional security level to their customers, the smart card manufacturers and further down the value chain, the smart card issuers. These licenses will lead them to increase their prices and allow them to provide their customers with both additional technological security and additional security in terms of Intellectual Property issues.
A variety of scenarios can happen now: a SPA/DPA attack could happen on chips from other vendors demonstrating the rationality of Infineon and Renesas in implementing such countermeasures, other semiconductor vendors could decide to take the same license reducing the competitive advantages of Infineon and Renesas, or even nothing could happen and issuers would be left with the decision of paying for cards implementing DPA/SPA countermeasures or not. And again, they would be left with a decision based essentially on conviction.