Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Economics of Information Security: Page 3 of 6

Which brings us to NPV. To consider an investment's real worth over time, the discounted totals of all the expected savings are subtracted from the costs associated with the investment over time (also discounted). What's left is the NPV. The fundamental insight of NPV is that the later the costs savings from not suffering cybercrimes, the less the cost savings add up to. At the same time, the sooner the investment in cybersecurity, the more it costs.


Real-World Numbers

There's nothing hypothetical about the applicability of these metrics to security budgeting. In fact, a growing number of IT professionals are starting to use NPV to quantify the benefits of their security expenditures, according to a forthcoming study of information security managers by Gordon and Loeb. About one-third of the respondents say NPV and other economic metrics are becoming important factors in weighing the costs and benefits of security investments. Anecdotally, too, we see many CFOs starting to require such analyses from infosec managers just as they do from other department heads.

Finding the NPV of a particular security investment--a firewall, for example--starts with estimating the useful life of the purchase. Then calculate all related costs and benefits, including the initial capital outlay. Finally, discount future costs and benefits according to the time frame in which they occur.

Say a company needs additional security and figures the cost savings (benefits) to be derived from the extra security will be the same for different security options--different firewall configurations, for instance. In this case, it makes sense to choose the configuration that costs the least. However, in comparing costs of the various options, it's the present value of the costs that should be the key concern. Consider two options, each with a total cost of $400,000, in absolute terms over two years. Option A would cost $300,000 at the end of the first year (due to a large capital outlay the first year) and $100,000 at the end of the second year. Option B, on the other hand, would cost $200,000 at the end of each of the two years. Obviously, Option A is more costly when accounting for the time value of money, so Option B is preferable. Now, assuming a 10 percent discount rate, Option A would cost $355,372 and Option B would cost $347,107. And if the present value of the benefits happened to be $350,000, Option B is the only option that would be justified on economic grounds, because it would have a positive NPV of $2,893, whereas Option A would have a $5,372 negative NPV.