Posted by:
admin
13 years, 3 months ago
A key underlying premise in finance is the cost of capital. Information security professionals need to understand that investors can put their money into other stocks and bankers can loan their money to other borrowers. The reason they loan money to your company is to make a good return for the risks they are taking. The less the risk, the cheaper the money.
You can think about this by looking at the spectrum of investments. On the least risky side (traditionally) you have the bonds backed by the full faith and credit of the United States government. The current (8/30/11) T-note yields about 2.25%. On the other end of risk, you have payday loans, that yield 212% for one month.
A more useful measure for our purposes is the desired returns a venture capitalist is seeking, which is 50% per year. Say you borrow $1,000,000 from a VC (yes, it is borrow, they want it back). In year 1, you would 'owe' $1.5 million; in year two, $2.25, in year three $3.375. (However, the 50% is across their portfolio, which will include some zeros, so if you want to raise VC money, you will need to show a 10x return on their investment.) Now you know why so many start-ups are funded by the owner's credit cards. At 25% credit cards are much cheaper than VC money and are actually a lot more flexible.
We often talk about weighted-average cost of capital because firms might raise equity, debt, preferred or other forms of capital. If half of your capital is from bonds paying 10% and half from equity with a 20% return, then your average cost of capital is 15%.
Sounds easy, right? Not so much. Finding out the cost for equity is a real bitch. That's because there is no stated cost, it is just set by investors' expectations. So what investors do is compare one company to the market or to set of other comparable companies. You can get very detailed about this using a company's beta but that's a historical marker and the equity investors really care about the future.
Equity analysts will often calculate a firm's WaCC. Here's how Morningstar does it:
Cost of equity essentially measures the riskiness of a company's business, and it's a little tougher to figure. Modern portfolio theory says that a given stock's cost of equity is determined by its price volatility (along with the risk-free interest rate and an equity premium), but that doesn't always work well in practice. Instead, we come up with a minimum cost of equity for each company based on a variety of risk factors: how cyclical its business is, how big it is, how much cash flow it generates, the strength of its balance sheet, and its economic moat. The analyst can adjust this figure upward, if necessary, to account for other risks not captured by these factors.
If your big enough to be covered by Morningstar, then chances are you can ask your CFO what your firm's WaCC is - or ask him what the minimum rate of return should be for your company.
When I set up the economic profit based bonus system at my first company (as mentioned in the last post), I used 15% as our cost of capital. We were too risky for a bank loan but less risky than an early-stage VC start-up. If I had asked the partners to go into credit card debt to fund an expansion, most probably would have (since we didn't need it). (We also had a natural check in place: we were shareholders and got the bonuses. If the capital charge was too high, our bonuses were lower.). While cost of capital is a critical factor in determining value creation, it is in many ways equal parts prediction and goal, if used properly.
Managers (should) care about creating value. So, all we really want to be sure about is that a project's return is greater than the firm's WaCC. How close does it need to be? Given the vagaries of most projections, I don't think too accurate. If you're measuring the performance of all of your projects to assure they are creating value, you will have a very good idea of which ones are problematic. Much like a VC has some losers, so will any company. The key is to have enough winners to make up for them.
This is where information security can play a role. A breach could turn a winner into a big loser. That could be enough to spoil the portfolio. It might also be enough to increase the firm's cost of capital. More on that later.
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)