Financial Analysis for Infosec Professionals

Tuesday, August 23, 2011

Nick Owen

Aecf1189abe745df32ec68f5864649a6

This is the second in a series of blog posts. My goal is to provide information security professionals a basis for discussing risks with business professionals - especially finance people - and to dispel some myths. 

The first post discussed how reducing risk creates value. The goal of this post is to lay some groundwork for proper financial analysis techniques - or at least minimize the dumber ones. 

I'm sure we all have terms that immediately send emails into the trash. One of mine is 'ROI'. ROI is a crappy measure for just about anything.

ROi is defined as (Gain from Investment - Cost of Investment)/Cost of investment). So if you gain from an investment of $1 is $2, your ROI is (2-1)/1 or 100%. Sounds great, but what does it really tell us?

What if we are choosing between two options. The first is an investment of $1,000,000 and an estimated gain of $2,000,000 and the second is an investment of $10,000,000 and an estimated gain of $20,000,000.

The ROI on both of these is the same, which makes absolutely no sense at all. ROI also fails to include any consideration of time-value of money. You could say that it is a good 'first blush' tool. But I prefer payback periods for that.

Net Present Value is widely considered to be a much better analysis tool. NPV is defined as "The difference between the present value of cash inflows and the present value of cash outflows.

NPV is used in capital budgeting to analyze the profitability of an investment or project." It takes into consideration the time value of money and uses an interest rate to gauge risk.

Here's what NPV looks like:

Investment 1,000 Cost of Capital 10% Projected Savings 200 200 200 200 200 200 200 200 200 200 200 200 NPV $329.76

If the NPV is negative, the project will destroy value.

Now, I've yet to discuss what is in the projected savings etc. I just want to point out the one thing that I know about projections is that they are wrong. Could be good wrong or it could be bad wrong, but wrong.

Cost-savings don't materialize, there are unintended benefits, the investment is higher than expected, the learning curve steeper (why is it hard to come up with positive situations?).

This is the primary short-coming of NPV. It is fine for projections, but falls short as an operating system. In my next post, I propose using a tool that I hope will prove more useful in ongoing operations.

Cross-posted from Wikid Systems

Help Support Infosec Island by Tweeting and Stumbling our Articles - and join our LinkedIn Group HERE - Thanks!

 

Possibly Related Articles:
8748
Enterprise Security
Information Security
Enterprise Security ROI Financial Business Infosec Net Present Value
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.