Posted by:
admin
15 years, 9 months ago
I had some requests for clarifications on my previous post about AALE and NPV. Hopefully this will clear up the issues.First, you might want to bone up on what Net Present Value means. Basically, NPV takes a series of cash flows and equates them to a value today based on an interest rate.
In the first scenario:
Investment: $100,000
Interest Rate: 8%
Period: 36 months
Savings: $10,000
NPV: $15,899.93
Imagine someone is offering you a string of 36 monhtly payments or $10,000 for $100,000 and your interest rate is 8%, then the value to you of those 36 payments is $15,899.93. The positive NPV means that you should do the deal because the return will be higher than 8%. The 8% is based on the credit worthiness of the cash flow payments - if they are from GM or Delta it rate is higher than GE or the US government.
In this hypothetical, the cash flows are projected savings from, say, switching from a dial-up and private line system to a VPN - but it is just the cost savings. It does not yet include any additional security investment beyond the encryption provided by the VPN.
How do you take into account the potential risk now that you have opened up your network in a new way? (Perhaps a better example would be adding an ecommerce system or a partner extranet that generates cost savings, but is exposing systems or information onto the internet that was never there before. E.G. what would happen if 10,000 credit cards were stolen from your ecommerce service?) First, you could adjust the interest rate to reflect the new risky nature of the project. Or, if you have some idea of what losses could occur, you would include the average annual expected loss in the NPV by subtracting them from the savings.
Investment: $100,000
Interest Rate: 8%
Period: 36 months
Savings: $10,000-5,154.80=$4845.20
NPV: ($40,025.83)
What if you now invested an extra $9,500 upfront and $200 a month for a WiKID Strong Authentication System that eliminated 95% of the risk that you would be compromised (your mileage may vary, but if you only allow remote access and root access with a one-time password system, it is going to be next to impossible to break in remotely and any damage would be very limited)?
Investment: $109,500
Interest Rate: 8%
Period: 36 months
Savings: $10,000-250-256.74=$9542.26
NPV: $2,137.50
Your back in the positive NPV area and you should do the deal. A couple of notes: 1. This example works because WiKID has a pay-as-go option. If you buy all hardware tokens up front, the NPV is worse because you pay it all up front! 2. The relative difference in NPV doesn't really matter, it only needs to be possitive or negative. 3. While we have assumed steady savings and costs, NPV doesn't require that.
I hope that clarifies. I would be glad to email or post the spreadsheet I used to calculate these numbers (though it's not pretty ;). Just email or comment.
Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)