Posted by:
admin
13 years, 4 months ago
This is the third in a series of blog posts (that I hope to be able to finish, because otherwise these first ones will seem stupid). My goal is to provide information security professionals a basis for discussing risks with business professionals - especially finance people - and to dispel some myths. In the first post, I discussed how businesses create value arguing that reducing risk increases value. In the second, I bitched about how I hated the term 'ROI', it's over-use in marketing and it's short-comings. While NPV is better, it too has some shortcomings, including the fact that it isn't a very good tool for ongoing evaluation. NPV basically states "According to these assumptions, this project should create value". However, it does not track the outcome nor can it easily be used as a basis for incentives.
The tool I prefer is Economic Profit (sometimes referred to as Economic Value Added, but that terms is trademarked). Economic Profit is defined as "The difference between the revenue received from the sale of an output and the opportunity cost of the inputs used", where the primary input used means capital. If you invest $200,000 in a business you are going to want a higher return than you could get in a safer investments, such as a municipal bond. (Avoiding references to the 'riskless rate on US Government T-bills' at the moment until we see how risky they are.) Economic profit is the profit or loss after net income and a charge for the use of the capital. For example:
Investment | 200 | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Cost of Capital | 10% | |||||||||||
Revenue | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 |
Expenses | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 |
Taxes | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 |
NOPAT | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 |
Capital Charge | 20 | 20 | 20 | 20 | 20 | 20 | 20 | 20 | 20 | 20 | 20 | 20 |
Economic Profit | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
Doesn't that math look a lot simpler than NPV's? The beauty is that it is just like an income statement or balance sheet: it can change over time. For example, what if you can reduce your costs:
Investment | 200 | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Cost of Capital | 10% | |||||||||||
Revenue | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 |
Expenses | 70 | 70 | 70 | 70 | 70 | 70 | 65 | 65 | 65 | 65 | 65 | 65 |
Taxes | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 |
NOPAT | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 |
Capital Charge | 20 | 20 | 20 | 20 | 20 | 20 | 20 | 20 | 20 | 20 | 20 | 20 |
Economic Profit | 1 | 1 | 1 | 1 | 1 | 1 | 6 | 6 | 6 | 6 | 6 | 6 |
Or, as in the case of Information Security and Risk Management, what if you can reduce the risk of the cash flows?
Investment | 200 | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Cost of Capital | 9% | |||||||||||
Revenue | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 |
Expenses | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 |
Taxes | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 |
NOPAT | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 |
Capital Charge | 18 | 18 | 18 | 18 | 18 | 18 | 18 | 18 | 18 | 18 | 18 | 18 |
Economic Profit | 3 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | 3 |
What proponents of Economic Profit will tell you is that it encompasses all the ways a firm creates value: increasing the return on existing capital, investing where the return is greater than the cost of capital and divesting where the return is less than the cost of capital. Information security pros know that risks change over time. Attacks get cheaper, data becomes more valuable. regulations tighten, etc. Economic profit allows you to change those assumptions over time.
By the way, you can still take the NPV of a stream of economic profit.
I have used Economic Profit at a previous company. We needed a good bonus system that would be easy to understand, provide for growth, but recognized that the companies revenue fluctuated. We ended up keeping our base salaries very low and paying a bonus of 1/3 of the 3 month rolling-average economic profit of the firm every month. We plowed back into the company 2/3 of the economic profit and the capital charge. If we hired someone and they didn't start paying for themselves in 3 months, we all felt it in our own pockets. We also always made money.
Note that books have been written about how to correctly calculate Economic Profit (in particular I recommend, Bennett Stewart's The Quest for Value). It can get very complex depending our your organization's complexity. However, I have used it in a very simple way too and it provided great value.
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)