Posted by:
admin
13 years, 3 months ago
This is the second in (hopefully) a series of blog posts. My goal is to provide information security professionals a basis for discussing risks with business professionals - especially finance people - and to dispel some myths. The first post discussed how reducing risk creates value. This goal of this post is to lay some groundwork for proper financial analysis techniques - or at least minimize the dumber ones.
I'm sure we all have terms that immediately send emails into the trash. One of mine is 'ROI'. ROI is a crappy measure for just about anything. ROi is defined as (Gain from Investment - Cost of Investment)/Cost of investment). So if you gain from an investment of $1 is $2, your ROI is (2-1)/1 or 100%. Sounds great, but what does it really tell us?
What if we are choosing between two options. The first is an investment of $1,000,000 and an estimated gain of $2,000,000 and the second is an investment of $10,000,000 and an estimated gain of $20,000,000. The ROI on both of these is the same, which makes absolutely no sense at all. ROI also fails to include any consideration of time-value of money. You could say that it is a good 'first blush' tool. But I prefer payback periods for that.
Net Present Value is widely considered to be a much better analysis tool. NPV is defined as "The difference between the present value of cash inflows and the present value of cash outflows. NPV is used in capital budgeting to analyze the profitability of an investment or project." It takes into consideration the time value of money and uses an interest rate to gauge risk.
Here's what NPV looks like:
| Investment | 1,000 | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cost of Capital | 10% | |||||||||||
| Projected Savings | 200 | 200 | 200 | 200 | 200 | 200 | 200 | 200 | 200 | 200 | 200 | 200 |
| NPV | $329.76 |
If the NPV is negative, the project will destroy value.
Now, I've yet to discuss what is in the projected savings etc. I just want to point out the one thing that I know about projections is that they are wrong. Could be good wrong or it could be bad wrong, but wrong. Cost-savings don't materialize, there are unintended benefits, the investment is higher than expected, the learning curve steeper (why is it hard to come up with positive situations?). This is the primary short-coming of NPV. It is fine for projections, but falls short as an operating system. In my next post, I propose using a tool that I hope will prove more useful in ongoing operations.
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)