Skip to main content

Financial Analysis for InfoSec Pros

This is the second in (hopefully) a series of blog posts. My goal is to provide information security professionals a basis for discussing risks with business professionals - especially finance people - and to dispel some myths.  The first post discussed how reducing risk creates value. This goal of this post is to lay some groundwork for proper financial analysis techniques - or at least minimize the dumber ones. 

I'm sure we all have terms that immediately send emails into the trash. One of mine is 'ROI'. ROI is a crappy measure for just about anything. ROi is defined as (Gain from Investment - Cost of Investment)/Cost of investment). So if you gain from an investment of $1 is $2, your ROI is (2-1)/1 or 100%. Sounds great, but what does it really tell us?

What if we are choosing between two options. The first is an investment of $1,000,000 and an estimated gain of $2,000,000 and the second is an investment of $10,000,000 and an estimated gain of $20,000,000. The ROI on both of these is the same, which makes absolutely no sense at all. ROI also fails to include any consideration of time-value of money. You could say that it is a good 'first blush' tool. But I prefer payback periods for that.

Net Present Value is widely considered to be a much better analysis tool. NPV is defined as "The difference between the present value of cash inflows and the present value of cash outflows. NPV is used in capital budgeting to analyze the profitability of an investment or project." It takes into consideration the time value of money and uses an interest rate to gauge risk.

Here's what NPV looks like:

Investment 1,000
Cost of Capital 10%
Projected Savings 200 200 200 200 200 200 200 200 200 200 200 200
NPV $329.76

If the NPV is negative, the project will destroy value.

Now, I've yet to discuss what is in the projected savings etc. I just want to point out the one thing that I know about projections is that they are wrong. Could be good wrong or it could be bad wrong, but wrong. Cost-savings don't materialize, there are unintended benefits, the investment is higher than expected, the learning curve steeper (why is it hard to come up with positive situations?). This is the primary short-coming of NPV. It is fine for projections, but falls short as an operating system. In my next post, I propose using a tool that I hope will prove more useful in ongoing operations.

Currently unrated

Recent Posts







RSS / Atom