why-roi-is-a-crappy-measure-for-information

Posted by:

admin 15 years, 3 months ago

At a number of recent events and discussion forums the topic of ‘selling’ security investments to top management has been addressed. The question posed is that if there is no positive return from a security investment, how do security professionals propose a security solution to a CFO or CEO? What is the return on a strong authentication, a firewall or IDS system that neither saves money (except perhaps in employee time, an argument that may fall on deaf ears) nor generates revenue? Importantly to me, how can you justify the investment in strong authentication? The answer lies in what really creates value for an enterprise.

To state it simply, companies create value in three ways increasing revenues, decreasing costs and decreasing their weighted-average cost of capital. In tight economic times, projects are promoted using cost savings (as no one buys arguments for increasing revenues). IT people often seek to measure cost savings as a return on investment . Unfortunately, ROI is a lousy measurement tool for many things, including security.

ROI is essentially a ratio measuring a payback period, which can lead to distortions. Say you have two projects. The first has an investment of $1,000,000 and saves you $100,000 per month. The second has an investment of $100,000 and saves $10,000 a month. Both have a payback period of 10 months (100,000/10,000) and both have an ROI of 100% (100,000/10,000). Which project do you do? Assuming that you can afford to both project (and you should be able to borrow $1,000,000 from a bank if it saves you $100,000 per month!), which do you do? Based on this information, you would do both.

One possible better solution would add a third analysis criterion: weighted average cost of capital. To illustrate this we will use a very simple tool: the cap rate. In real estate, the capitalization rate is used to quickly assess a projects viability. If an office building is 100% leased to the US government for 10 years for $1,000,000 per year net of all the expenses, you would value it at $1,000,000 divided by a suitable cap rate, say prime plus 3% or currently 7% or $14.2 million. If it’s leased to a small private company, you would use something higher, say 10% or $10,000,000. In each case, you know the return you are seeking and will invest where the return is greater than the WACC.

To apply this idea to a security investment, let’s look at it this way: You are looking to roll out an SSL-based VPN that will reduce your ongoing remote access costs by $200,000 per year for 2,000 users. You’re concerned however that one of the main drivers for the project is that users want to login from un-trusted web kiosks. You think doing using SSL instead of a client-based solution is more risky than going with IPSec, but how can you analyze it? If your company’s WACC is 10%, then the value of $200,000 should be $2,000,000. But this project is far riskier than you’re company’s main line of business, so the project should capped at a much higher rate. If you use 20%, then the value is $1,000,000.

What if you have already implemented an SSL-based VPN and you now realize that you have actually saved only 50% of what you estimated because of the risks you have taken? How can you justify spending more money on security when it won’t save any additional money? The answer is that reducing costs is not the only way to create value! It’s never too late to reduce the cost of capital of your project. For example, with an SSL-based VPN, if your main concern is key-loggers installed on kiosks, try investing in strong authentication. The upfront cost of a WiKID Authentication Server is $9,500 and the ongoing costs would be $40,000 per year. If this reduces the risk to 12%, then the project is worth $1,323,833 – a 32% increase in value for your company.

What cap rate should you use when evaluating a project? First, start with your firm’s WACC. Then, try to come up with a departmental average. If your department is riskier than the rest of the company, it should be higher. Then try to estimate the project’s risk. If you’re rolling out a bleeding-edge technology, boost it higher. If it’s a common technology and you’re a late adapter, the risks are lower. If it’s a technology in high demand, but weak in security, such as WiFi access, increase it.

Using a cap rate to evaluate a security project is much better than ROI, but it is still a quick and dirty exercise. It takes into account the cost of capital, but it isn’t really flow-based and it isn’t very good for ongoing analysis. There are other tools such as economic profit that might be better for ongoing management. Stay tuned for more.

• Tags:
• Security and Economics,
• Two Factor Authentication

Share on Twitter Share on Facebook

• ← Can the WiKID Server and/or Token be embedded?
• determining-an-appropriate-cost-of-capital-for-an →