Skip to main content


There's an interesting article on Security Pipeline about the economics of information security. The article discusses why ROI is a poor measure, echoing my first post. But it misses out on a key point: that investing in security reduces your weighted average cost of capital and that you must include the cost of capital in your investment analysis.

Here are some tid-bits:

  • "Furthermore, the accounting-based notion of ROI doesn't take into account that great chestnut of economic theory, the "time value" of money."

  • True enough.

  • "Which brings us to NPV. To consider an investment's real worth over time, the discounted totals of all the expected savings are subtracted from the costs associated with the investment over time (also discounted). What's left is the NPV. The fundamental insight of NPV is that the later the costs savings from not suffering cybercrimes, the less the cost savings add up to. At the same time, the sooner the investment in cybersecurity, the more it costs."

  • Again, true

  • "Say a company needs additional security and figures the cost savings (benefits) to be derived from the extra security will be the same for different security options--different firewall configurations, for instance. In this case, it makes sense to choose the configuration that costs the least. However, in comparing costs of the various options, it's the present value of the costs that should be the key concern. Consider two options, each with a total cost of $400,000, in absolute terms over two years. Option A would cost $300,000 at the end of the first year (due to a large capital outlay the first year) and $100,000 at the end of the second year. Option B, on the other hand, would cost $200,000 at the end of each of the two years. Obviously, Option A is more costly when accounting for the time value of money, so Option B is preferable. Now, assuming a 10 percent discount rate, Option A would cost $355,372 and Option B would cost $347,107. And if the present value of the benefits happened to be $350,000, Option B is the only option that would be justified on economic grounds, because it would have a positive NPV of $2,893, whereas Option A would have a $5,372 negative NPV."

  • A pretty good description of the time value of money, but why choose 10%? If the discount rate is the same on each option, then Option B is the best one. But what if Option B was unproven or your staff was unfamiliar with managing that configuration, you should assign it more risk. If you assign Option B a discount rate of just 2.5% higher - 25% more risky - then Option A is the best deal.

    I have posted some thoughts on determining an appropriate cost of capital for information security projects. I think confusion over measuring NPV and the like is holding back deployment of security technologies like strong authentication. CSOs don't realize that using strong authentication will reduce the discount rate used to measure the NPV of your remote access.

    Current rating: 1

    Recent Posts







    RSS / Atom