New Economics of InfoSec
This is a April 2004 article I came across that is actually a worthwhile read, both for customers and suppliers trying to justify security spend. Relatively little attention has been paid to the economics of information security. Generally, we hear about the exorbitant losses in the more spectacular cases, or about totals gleaned from the annual Computer Security Institute/FBI Computer Crime Survey.
Information-security managers trying to defend budget requests sometimes talk about return on investment, but with only mixed results. After all, how do you determine the exact ROI of a firewall? You usually don't see information-security managers applying capital-budgeting techniques, such as the net present value (NPV) or internal rate of return (IRR), to information-security infrastructure investments. Yet, CFOs use those techniques regularly, and department managers usually compete for funds based on them. Since information-security managers go up against other department managers for a share of the budget, it's to their advantage to catch up with their peers who specialize in capital budgeting.
Financial economists have been applying capital-budgeting (or investment) theory to information security for the past couple of years. It's an area made tantalizing by the paradox at its heart: The more successful the security investments, the less visible and less measurable are the results. In many ways, information-security investments are among the most intriguing subsets of cost-saving (or cost-avoidance) capital projects.
This article discusses the dynamics of ROI, NPV cost calculations, Indirect costs of cybercrime etc. Highly recommended.
CATEGORIES: 1ROSI, 1ROI, 1financial, 1article,1cfo,1metrics
Information-security managers trying to defend budget requests sometimes talk about return on investment, but with only mixed results. After all, how do you determine the exact ROI of a firewall? You usually don't see information-security managers applying capital-budgeting techniques, such as the net present value (NPV) or internal rate of return (IRR), to information-security infrastructure investments. Yet, CFOs use those techniques regularly, and department managers usually compete for funds based on them. Since information-security managers go up against other department managers for a share of the budget, it's to their advantage to catch up with their peers who specialize in capital budgeting.
Financial economists have been applying capital-budgeting (or investment) theory to information security for the past couple of years. It's an area made tantalizing by the paradox at its heart: The more successful the security investments, the less visible and less measurable are the results. In many ways, information-security investments are among the most intriguing subsets of cost-saving (or cost-avoidance) capital projects.
This article discusses the dynamics of ROI, NPV cost calculations, Indirect costs of cybercrime etc. Highly recommended.
CATEGORIES: 1ROSI, 1ROI, 1financial, 1article,1cfo,1metrics
posted by Dwaine at 11/01/2005
0 Comments:
Post a Comment
<< Home