Forwarded from: Nick Owen <nowenat_private> </lurk> > "Return on investment appears to have fallen out of favor as a > measure of the effectiveness of information security spending," Mark > Doll, Americas director of Ernst & Young's Security Services > division, said in a prepared statement. "It looks like we need to > find a credible alternative to conventional ROI approaches in order > to secure funds for the information security function." I've been chewing on some ideas in this regard. Any feedback is much appreciated. ROI is an incomplete measure at best. It provides an initial glimpse of the potential impact a project might have. It is better to use a measure that includes the actual cost of capital, such as Net Present Value or economic profit (EVA is the trademarked term). To give an example: two projects - 1,000,000 investment with a 100,000/year return or 100,000 investment with a $10,000 return. ROI says do both. However, if the first project is riskier, it should be capitalized at a higher rate of return. Both NPV and economic profit calculations will show this. To me, most security projects are focused on reducing the cost of capital, like insurance (and could be replaced by insurance). Break security projects down into two categories: enterprise-wide & project focused. If you're protecting the enterprise or an enterprise asset such as a customer database, you're helping to decrease or maintain the enterprise's cost of capital. A significant breach will have a negative impact on the value of the firm (see: The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers http://www.utdallas.edu/~huseyin/eventstudy.PDF) or just think of CD Universe). The new California law SB 1386 will create more awareness of this effect. If you're part of a bricks & mortar firm starting a web commerce site targeting Internet riches, that project should have a much higher cost of capital than the rest of the firm. Security measures will help reduce the cost of capital for the project. If you reduce the cost of capital, the inherent value of the cash flows increase. That being said (and this will sound strange coming from a vendor) one way to assure project success is to invest smaller amounts upfront. This is typically true in IT and is probably true in security. Over-investing upfront is problematic. Economic profit analysis shows this clearly - think of it like a credit card bill that you can never pay down the balance: the interest charges just keep racking up. Best to focus on projects that also reduce costs and can be measured - then perhaps target some more fuzzy return projects. Nick Owen -- Nick Owen CEO WiKID Systems, Inc. 404-879-5227 nowenat_private http://www.wikidsystems.com The End of Passwords -- - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 04:05:27 PDT