April 13, 2004

Cost Calculations

The fundamental insight of NPV is double-edged: The later the cost saving from avoiding cybercrimes, the less it's worth. At the same time, the sooner the investment in cybersecurity, the more it costs.

To come up with the NPV of an investment, we have to estimate the useful life of the purchase -- say, a firewall we intend to use for three years. We calculate all the costs, including the initial capital outlay and maintenance and administration over the three years. We also calculate the cost savings derived from the investment. We break these costs and benefits down for each year and then discount them by some percentage for each year further out. What would "some percentage" actually be? Most companies consider it their cost of capital -- what it would cost them to use the funds provided by their creditors and stockholders, or, more technically, what would be the minimum rate of return required on a project so that the company's value won't be reduced.

This isn't as simple as it sounds. It's not just the prevailing interest rate. Instead, the cost of capital is really an "opportunity cost" notion -- that is, what you forgo by not accepting the next best alternative.

Some projects that look reasonable in terms of ROI don't fare as well when measured by NPV. If you believe money has time value, then an investment may look less rosy under an NPV model than a simple one-year computation of ROI. Of course, the reverse may be true, especially for projects providing multiple years of benefit.

The moral of the story is that NPV, which is consistent with the notion of maximizing a company's value, compares "apples with apples" over the life of the information-security investment. In contrast, ROI is based on an accrual system of accounting and focuses on the short term. One way around this dilemma is to think in terms of the economic rate of return, but then you must keep in mind that maximizing a company's IRR isn't consistent with maximizing the value of a company.

The message is that CIOs and information-security managers need to get trained in basic economic concepts if they want to level the playing field during budget requests for security investments.

So far, we've examined what might be called the economics of information-security investments, which also implicitly considers risk assessment through the discounting process associated with the present-value concept. But economics offers other tools that can help in deciding the advisability of investments. For example, economics has wrestled with the problem of "externalities." A classic example is the pollution emanating from a factory smoke stack. "The factory that's causing the pollution doesn't bear any of the costs of the pollution that are incurred downwind," says L. Jean Camp, associate professor of public policy at the Kennedy School of Government at Harvard University. The cost of the environmental damage is external to the factory's economic calculations.

In a paper co-authored in 2000 with Catherine Wolfram, assistant professor at the University of California at Berkeley's Haas School of Business, Camp argued that security provides an excellent example of the externality principle. If one company does a poor job with its cybersecurity, there's usually an impact on other companies. The recent MyDoom worm illustrates how one company's lax security negatively impacts others.

Another area where economics has direct relevance for information security is information sharing, a mantra of the Department of Homeland Security and others concerned with cybersecurity. Without appropriate economic incentives, the free-rider problem -- where companies benefit from, but don't contribute to, the collective effort -- usually keeps organizations from reaping the value of information sharing in an information-security setting, a 2003 study by the University of Maryland notes.

The message is clear: Information-security managers need to view security through the lens of economics, as well as technical security, if they want to succeed. The sooner CIOs and security managers realize this fact, the better off we'll all be in terms of cybersecurity.

Lawrence Gordon is Ernst & Young alumni professor of managerial accounting and information assurance at the Robert H. Smith School of Business, University of Maryland. Robert Richardson is editorial director at the Computer Security Institute.