At a number of recent events and discussion forums the topic of ‘selling’ security investments to top management has been addressed. The question posed is that if there is no positive return from a security investment, how do security professionals propose a security solution to a CFO or CEO? What is the return on a strong authentication, a firewall or IDS system that neither saves money (except perhaps in employee time, an argument that may fall on deaf ears) nor generates revenue? Importantly to me, how can you justify the investment in strong authentication? The answer lies in what really creates value for an enterprise.

To state it simply, companies create value in three ways increasing revenues, decreasing costs and decreasing their weighted-average cost of capital. In tight economic times, projects are promoted using cost savings (as no one buys arguments for increasing revenues). IT people often seek to measure cost savings as a return on investment . Unfortunately, ROI is a lousy measurement tool for many things, including security.

ROI is essentially a ratio measuring a payback period, which can lead to distortions. Say you have two projects. The first has an investment of $1,000,000 and saves you $100,000 per month. The second has an investment of $100,000 and saves $10,000 a month. Both have a payback period of 10 months (100,000/10,000) and both have an ROI of 100% (100,000/10,000). Which project do you do? Assuming that you can afford to both project (and you should be able to borrow $1,000,000 from a bank if it saves you $100,000 per month!), which do you do? Based on this information, you would do both.

One possible better solution would add a third analysis criterion: weighted average cost of capital. To illustrate this we will use a very simple tool: the cap rate. In real estate, the capitalization rate is used to quickly assess a projects viability. If an office building is 100% leased to the US government for 10 years for $1,000,000 per year net of all the expenses, you would value it at $1,000,000 divided by a suitable cap rate, say prime plus 3% or currently 7% or $14.2 million. If it’s leased to a small private company, you would use something higher, say 10% or $10,000,000. In each case, you know the return you are seeking and will invest where the return is greater than the WACC.

To apply this idea to a security investment, let’s look at it this way: You are looking to roll out an SSL-based VPN that will reduce your ongoing remote access costs by $200,000 per year for 2,000 users. You’re concerned however that one of the main drivers for the project is that users want to login from un-trusted web kiosks. You think doing using SSL instead of a client-based solution is more risky than going with IPSec, but how can you analyze it? If your company’s WACC is 10%, then the value of $200,000 should be $2,000,000. But this project is far riskier than you’re company’s main line of business, so the project should capped at a much higher rate. If you use 20%, then the value is $1,000,000.

What if you have already implemented an SSL-based VPN and you now realize that you have actually saved only 50% of what you estimated because of the risks you have taken? How can you justify spending more money on security when it won’t save any additional money? The answer is that reducing costs is not the only way to create value! It’s never too late to reduce the cost of capital of your project. For example, with an SSL-based VPN, if your main concern is key-loggers installed on kiosks, try investing in strong authentication. The upfront cost of a WiKID Authentication Server is $9,500 and the ongoing costs would be $40,000 per year. If this reduces the risk to 12%, then the project is worth $1,323,833 – a 32% increase in value for your company.

What cap rate should you use when evaluating a project? First, start with your firm’s WACC. Then, try to come up with a departmental average. If your department is riskier than the rest of the company, it should be higher. Then try to estimate the project’s risk. If you’re rolling out a bleeding-edge technology, boost it higher. If it’s a common technology and you’re a late adapter, the risks are lower. If it’s a technology in high demand, but weak in security, such as WiFi access, increase it.

Using a cap rate to evaluate a security project is much better than ROI, but it is still a quick and dirty exercise. It takes into account the cost of capital, but it isn’t really flow-based and it isn’t very good for ongoing analysis. There are other tools such as economic profit that might be better for ongoing management. Stay tuned for more.

In my first post, I discussed the short-comings of ROI as an analysis tool for information security projects because it doesn't include a cost of capital. Using a cap rate will increase the accuracy of your analysis, but how do you come up with a good cap rate?

First, start with your firm’s WACC. Ask your CEO or CFO. If you can get a bank loan of some kind, your cost of debt is whatever rate the bank gives you. Your cost of equity would be some where above that. Then look at the project. Will it create new avenues of attack and increase risks? Will a successful attack result in significant consequences? Will it increase the likelihood of injury? If so, what would be the cost? These are subjective questions. I find that when faced with subjective questions, it's helpful to weigh the answers and average the results.

Below is a short table that compares an existing, well protected LAN to the same network with a WiFi network added. You weigh the importance for each element. For example, while the loss of confidential information is high, perhaps it is unlikely that you would have to announce that publicly, perhaps because you are not subject to the California Database Protection Act, GLB or HIPAA.

You can create your own table of factors. For example, you might include a category on how a successful attack might impact your personal situation at the firm. In this example, we're positing that the wireless LAN is twice as risky as a wired LAN. If your firm's WACC is 10%, this project should be 20.7%. If the expected savings are $1,000, the investment better be less than $4828.

There has been some excellent research done on the impact of information security breaches on the market cap of affected firms (which directly impacts their cost of capital): "The economic cost of publicly announced information security breaches: empirical evidence from the stock market Katherine Campbell, Lawrence A. Gordon, Martin P. Loeb and Lei Zhou Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, 2003" (http://brief.weburb.dk/archive/00000130/01/2003-costs-security-on-stockvalue-9972866.pdf)

This UMD study found that a firm suffering a breach of 'confidential information' saw a 5% drop in stock price while firms suffering a non-confidential breach saw no impact.

I read it as the market over time learning the difference between a DOS attack and the posting of customer's credit cards online. Which is interesting, because the market will be most forgiving of the attacks that are the most basic to prevent (web defacement, viruses & worms) or which are 'unpreventable' (DOS attacks - unpreventable isn't the 100% correct word, but you know what I mean) and it will punish you severely (a 5% market cap drop according to the UMD study) for succumbing to a more viscous, targeted attack that results in exposure of confidential information such as customer credit cards. So are you putting your money in the right places?

The market correctly places a higher value to companies that can increase cash flow by reducing costs or increasing revenues using information technology. But it will increase the cost of capital to those firms that do not manage the risks of being online, potentially erasing any gains.

To make it simple, you can just trot out this study and tell your CEO that not investing in information security may result in a 5% drop in share price. They probably won't read it ;).

In the UMD study, almost all of the "confidential breaches" were described "Unauthorized Access to (subscriber data, credit card numbers, etc.). It clearly points to the importance of identity management and authentication. The other factor to consider is that there are now automated tools to create phishing sites and spyware on 1/3 of all computers . How will you manage user authorization in a world where you have to give access to customers, vendors, partners, consultants, and employees? It is doable and the firms that do it securely will be the winners.

The anonymous CEO blogger has accused me of IT propoganda. Don't worry my feelings aren't hurt ;). Of course, it is in my interest as the CEO of a security firm that more CEOs recognize the value that investing in security brings. However, I would point out a few things that IMO, keep this post from being pure 'propoganda'.

First, the study was done by the University of Maryland School of Business, not the CS deparment. As such, I don't think it is biased.

Second, the poster says they " can't recall reading any company news releases about IT security breaches". Well, that is just plain ignorant. Please be advised of SB1386 - you may have to announce a breach if you have one.

Third, the poster states "IT is not a profit center, it's a cost center". That is one way to look at it - a narrow way. You could also call the locks on the doors a cost, but a better way to look at it as a risk management expense that reduces your cost of capital. If you're a bank and you're constantly getting robbed, your cost of capital will go up. You will have to pay the highest rates on your CDs to get any deposits. The same is true of IT security.

Finally, while the anonymous blogger can't remember any announcements of security breaches (I guess they missed my post about T-Mobile's hack), he does recall "companies writing off tens of millions of dollars after an "investment" in new enterprise software failed and was abandoned". In my experience, every company makes mistakes. However, the companies that have good security have good IT in genaral and are just well run companies! Security is almost a by-product. Just one of the many things 'done right'.

I have also seen many examples of companies that overspent on security technology and had security violations. These are just poorly run companies.

The CEO Blogger thinks that the stock market is reacting to bad news and it is. The bad news isn't that an incident occurred, the bad news is that it is a poorly run company. The study is pointing out that the stock market is distinguishing between an incident that couldn't be prevented and just sloppy security.

As we have discussed elsewhere in this Blog, there is value in protecting your information assets. We've talked about the impact of information security breaches on stock price. Well, Choicepoint provides a good case in point. This was not a “hacker” attack as labeled in the popular press (further moving the definition of that word from its original meaning), but rather a traditional scam that took advantage of a lax credentialling process (yes, Irony with a capital I) that apparently is fax-based.

(Perhaps if this process were done electronically, Choicepoint's information security staff would have improved the controls. Their CISO won CISO of the Year in Atlanta last year.)

Choicepoint's stock dropped 10% yesterday. It is down to $39.30 from a 52 high of $47.95 just earlier this month.

The market is reacting to a number of things. Choicepoint handled the affair poorly, notifying only California residents as required by law and not everyone. Georgia is now looking at a privacy law similar to SB1386. Regulation means increased costs. Choicepoint is trying to recover by offering to pay for credit monitoring services (probably provided by it's former parent, Equifax) and it has stopped providing service to it's 17,000 small business customers until they can be re-credentialled. That's more costs and less revenue. Finally, lawyers are starting to look at class actions – more uncertainty means more risk means higher cost of capital.

It brings up a point made before here: good companies have good processes that protect their assets. They have good information security as a result of that, not the other way around. I think information security and IT professionals are often disappointed that the rest of management doesn't understand that.

According to a recent study by researchers from my alma mater, the University of Virginia, the use of cameras to fine motorists who run red lights actually increases the number of accidents at those intersections. There are fewer T-bone collisions, but more rear-end collisions.

However, a federal study dug deeper and found that the red light cameras saved money - $28,000 to $50,000 annually for each intersection - because the collisions were less expensive. I would rather get rear-ended any day of the week, so I concur.

Perhaps there is another option: don't tell the motorists that the cameras are there. They would know that the city has them, but not necessarily which intersection. Perhaps a city could buy a limited number of movable cameras. This would minimize the "immoral hazard" or whatever you would call the opposite of a moral hazard.

Full article at the Washington Post

As Adam had pointed out the Lexis Nexis breach was due to " misappropriation by third parties of IDs and passwords from legitimate customers".

With Bruce Schneier blogging that ChoicePoint is saying "Please Regulate My Industry", will their be a requirement that certain industries dealing with 'person non-public' information use strong authentication for their customers?

Visa, Mastercard et al now require strong authentcation for merchants and processors over a certain size (dropping in June). I tthink Adam's point is valid: Strong authentication is not that expensive - and it's getting cheaper thanks to companies like us. Yet that industry hasn't taken advantage of existing technology to protect its information. Clearly they think that it is cheaper to take the risk than to invest in security.

Perhaps this is because they have insured over the risk. Perhaps instead of regulation the insurance industry should come up with a standard like the credit card industry has for companies that do business over the internet or that deal with confidential data - like Choicepoint, T-Mobile, Lexis Nexis, etc.

There's an interesting article on Security Pipeline about the economics of information security. The article discusses why ROI is a poor measure, echoing my first post. But it misses out on a key point: that investing in security reduces your weighted average cost of capital and that you must include the cost of capital in your investment analysis.

Here are some tid-bits:

"Furthermore, the accounting-based notion of ROI doesn't take into account that great chestnut of economic theory, the "time value" of money."

True enough.

"Which brings us to NPV. To consider an investment's real worth over time, the discounted totals of all the expected savings are subtracted from the costs associated with the investment over time (also discounted). What's left is the NPV. The fundamental insight of NPV is that the later the costs savings from not suffering cybercrimes, the less the cost savings add up to. At the same time, the sooner the investment in cybersecurity, the more it costs."

Again, true

"Say a company needs additional security and figures the cost savings (benefits) to be derived from the extra security will be the same for different security options--different firewall configurations, for instance. In this case, it makes sense to choose the configuration that costs the least. However, in comparing costs of the various options, it's the present value of the costs that should be the key concern. Consider two options, each with a total cost of $400,000, in absolute terms over two years. Option A would cost $300,000 at the end of the first year (due to a large capital outlay the first year) and $100,000 at the end of the second year. Option B, on the other hand, would cost $200,000 at the end of each of the two years. Obviously, Option A is more costly when accounting for the time value of money, so Option B is preferable. Now, assuming a 10 percent discount rate, Option A would cost $355,372 and Option B would cost $347,107. And if the present value of the benefits happened to be $350,000, Option B is the only option that would be justified on economic grounds, because it would have a positive NPV of $2,893, whereas Option A would have a $5,372 negative NPV."

A pretty good description of the time value of money, but why choose 10%? If the discount rate is the same on each option, then Option B is the best one. But what if Option B was unproven or your staff was unfamiliar with managing that configuration, you should assign it more risk. If you assign Option B a discount rate of just 2.5% higher - 25% more risky - then Option A is the best deal.

I have posted some thoughts on determining an appropriate cost of capital for information security projects. I think confusion over measuring NPV and the like is holding back deployment of security technologies like strong authentication. CSOs don't realize that using strong authentication will reduce the discount rate used to measure the NPV of your remote access.