Skip to main content

determining-an-appropriate-cost-of-capital-for-an

(0 comments)

In my first post, I discussed the short-comings of ROI as an analysis tool for information security projects because it doesn't include a cost of capital. Using a cap rate will increase the accuracy of your analysis, but how do you come up with a good cap rate?

First, start with your firm’s WACC. Ask your CEO or CFO. If you can get a bank loan of some kind, your cost of debt is whatever rate the bank gives you. Your cost of equity would be some where above that. Then look at the project. Will it create new avenues of attack and increase risks? Will a successful attack result in significant consequences? Will it increase the likelihood of injury? If so, what would be the cost? These are subjective questions. I find that when faced with subjective questions, it's helpful to weigh the answers and average the results.

Below is a short table that compares an existing, well protected LAN to the same network with a WiFi network added. You weigh the importance for each element. For example, while the loss of confidential information is high, perhaps it is unlikely that you would have to announce that publicly, perhaps because you are not subject to the California Database Protection Act, GLB or HIPAA.

 

Click here to see the table

 

You can create your own table of factors. For example, you might include a category on how a successful attack might impact your personal situation at the firm. In this example, we're positing that the wireless LAN is twice as risky as a wired LAN. If your firm's WACC is 10%, this project should be 20.7%. If the expected savings are $1,000, the investment better be less than $4828.

 

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom