The Economics of Information Security

Learning the Lingo

"I go to security conferences where we all sit around puzzling about what kind of metrics to use for measuring the results of security programs," says Adam Stone, an analyst who specializes in security management for the financial services industry. "The metrics we have right now--the ones we use for assessing vulnerability and measuring the effectiveness of our investments--are all based on subjective judgments. They're fundamentally flawed. But there are financial, statistical, economics and securities professionals who deal with these kinds of uncertainties all the time, with methods that allow them to predict and measure business effectiveness in a rational way. We can learn from them."

The situation reflects the relative immaturity of the infosec industry, Stone adds. "People in information security are often technicians--gearheads," he says. "Very few of us have come up through the ranks of accounting or financial management, so we don't think in those terms."

Of course, it's not entirely true that security professionals never think in the same terms as financial officers. The information security manager at a Fortune 100 corporation, for instance, has implemented a program to measure rates of return on the company's IPS (intrusion-prevention system), including a checklist of costs incurred to address problems flagged by the system.

Oracle took a similar approach when it wanted to replace a data center IPS. "We did an analysis of how many alerts we got, how many people it took to run those alerts down and how many of those [alerts] were false positives," says Mary Ann Davidson, chief security officer at Oracle. "For the IDS we had in place, we got something like 80,000 alerts a week, and the false-positive rate was 60 percent to 70 percent. We looked at that versus the system we were piloting, where we found we had far fewer alerts and the ones we got were higher quality. So we said, how many people would we have to hire to make sense of the system we had? It turned out to cost a lot less to replace the system right away."

"Economics--not technology--determines what security technologies get used," says Bruce Schneier, security expert and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Copernicus Books, 2003). "These days, I feel like I do more economics than computer security."

But when it comes to recognizing the benefits of mixing firewalls with financial forecasts, the economists have taken the lead. In the past few years, there's been a growing stream of work by financial economists who apply capital budgeting and investment theory to business information security investments. It's a tantalizing subject for academics because of the paradox at the core: The more successful your security investments, the less visible and less measurable your results.ROI (or bang for the buck) can't be applied perfectly to information security because often the return on information security purchases and deployments is intangible. Sure, companies invest in some solutions that offer benefits beyond security--faster network throughput in a new router that supports VPNs, for example--and they can calculate the ROI of these indirect benefits. But security requires factoring in the expectation of loss. Statistically, some losses are expensive but unlikely to occur in any given year, for instance, so the expectation of loss over a period of years has to include years in which there is no loss.

Furthermore, the accounting-based notion of ROI doesn't take into account that great chestnut of economic theory, the "time value" of money. Money that one has in hand and can invest now is worth more than money to be received later, due to the loss resulting from the chance to invest that money during the waiting period. In terms of savings expected by not suffering cybercrime losses, the longer the wait before saving that money, the less that money is worth. Indeed, to make good decisions about those future savings now, those savings must be discounted based on the time it takes to realize them.

It's a two-way street, too. Costs incurred when implementing a security measure have a lower present value if they can be held off until a future time. That's because that money can be invested in other ways now.Which brings us to NPV. To consider an investment's real worth over time, the discounted totals of all the expected savings are subtracted from the costs associated with the investment over time (also discounted). What's left is the NPV. The fundamental insight of NPV is that the later the costs savings from not suffering cybercrimes, the less the cost savings add up to. At the same time, the sooner the investment in cybersecurity, the more it costs.

Real-World Numbers

There's nothing hypothetical about the applicability of these metrics to security budgeting. In fact, a growing number of IT professionals are starting to use NPV to quantify the benefits of their security expenditures, according to a forthcoming study of information security managers by Gordon and Loeb. About one-third of the respondents say NPV and other economic metrics are becoming important factors in weighing the costs and benefits of security investments. Anecdotally, too, we see many CFOs starting to require such analyses from infosec managers just as they do from other department heads.

Finding the NPV of a particular security investment--a firewall, for example--starts with estimating the useful life of the purchase. Then calculate all related costs and benefits, including the initial capital outlay. Finally, discount future costs and benefits according to the time frame in which they occur.

Say a company needs additional security and figures the cost savings (benefits) to be derived from the extra security will be the same for different security options--different firewall configurations, for instance. In this case, it makes sense to choose the configuration that costs the least. However, in comparing costs of the various options, it's the present value of the costs that should be the key concern. Consider two options, each with a total cost of $400,000, in absolute terms over two years. Option A would cost $300,000 at the end of the first year (due to a large capital outlay the first year) and $100,000 at the end of the second year. Option B, on the other hand, would cost $200,000 at the end of each of the two years. Obviously, Option A is more costly when accounting for the time value of money, so Option B is preferable. Now, assuming a 10 percent discount rate, Option A would cost $355,372 and Option B would cost $347,107. And if the present value of the benefits happened to be $350,000, Option B is the only option that would be justified on economic grounds, because it would have a positive NPV of $2,893, whereas Option A would have a $5,372 negative NPV.This clearly demonstrates the benefit of considering the time value of money when evaluating information security alternatives--simply comparing the absolute dollars of benefits with costs won't suffice. In fact, it's possible for an investment to look worse under an NPV model than under a simple accounting-based ROI computation. Of course, the reverse may also be true, especially for projects that provide more than one year of benefits.

In short, NPV compares apples with apples over the entire life of an investment, whereas ROI and similar concepts are based on an accrual system of accounting and are short-term in focus. There are other ways around potential ROI limitations. One way is to think in terms of IRR, which is a time-adjusted rate of return. However, maximizing a company's IRR isn't consistent with maximizing its value. In contrast, maximizing NPV is consistent with maximizing the company's overall worth.

While these points may seem confusing, the message is clear: Information security managers must understand basic economic concepts to level the playing field during the budgeting process.So far, all we've considered is what might be called the economics of investments in information security. But economics as a discipline has a lot more tools in its kit beyond the ability to make decisions about investment advisability. Economics has also delved into what happens when the incentives in a market are misaligned. The manufacturer of an MP3 player has no direct incentive to prevent users from using its products to play music that infringes on a record producer's copyrights, for instance, but if the record producer loses revenue as a result, that has a real effect on the market. To the MP3 manufacturer, it's an "externality," or a "spillover effect."

The pollution emanating from a factory smokestack is a classic example of an externality. "The factory causing the pollution doesn't bear any of the costs of the pollution that are incurred downwind," says L. Jean Camp, an associate professor of public policy at the Kennedy School of Government at Harvard University and co-author of "Pricing Security", the first paper to argue that security is an externality. Similarly, if a company does a poor job at cybersecurity, other companies may be affected negatively. The recent MyDoom worm is a good example of how lax security by some can have a negative impact on others. If machines infected with a worm that, like MyDoom, doesn't harm the machine but carries out some other task without the owner's knowledge, Camp says, the owner doesn't have any direct incentive to spend money to defeat the worm. "It doesn't matter to you if your machines are being used for phishing and spamming all night--there's no marginal cost." The cost, in other words, is an externality to the owner of the infected machine.

One solution, Camp suggests, is to structure internal charges to promote timely patching. Vulnerability auditing might result in per-department lists of faults coupled with policies that force departments to fix each vulnerability or pay IT to do so. "It makes the direct costs such that, even ignoring the large external costs, the department wants to do the right thing," she says. "Economics is always about properly aligning incentives."Another area in which economics has direct relevance to information security is information sharing, which has become a mantra of the Department of Homeland Security and other organizations, including the federally sponsored Information Sharing Analysis Centers, or ISACs--groups of companies in industry sectors that pool information to improve the security of their respective infrastructures. Although sharing information about cyberthreats is a laudable goal, economists have shown it to be extremely difficult to put into practice. Indeed, without the appropriate economic incentives, the free-rider problem--the tendency for participants to want to get all the information they can from other participants without sharing any of their own deep, dark secrets--typically prevents organizations from obtaining the potential value of information sharing in an information security setting. Dozens of groups are drawn together by the idea that members will share their mishaps and vulnerabilities confidentially with the group--think of the local chapters of the Information Systems Audit and Control Association (ISACA), the FBI's InfraGard and, of course, the ISACs. But without purposefully changing the incentives a member has to share sensitive information with these groups, each participant typically waits for others to do the sharing, rather than risk exposing information about his or her organization's weaknesses. For more information about infosec information sharing, see Gordon, Loeb and Lucyshyn's "Sharing Information on Computer Systems Security: An Economic Analysis" in the Journal of Accounting and Public Policy (Vol. 22, No. 6, 2003).

Indeed, information security is a troublesome market: Important information is routinely hidden from those who need it most, its most important characteristics are devilishly difficult to measure, and the vendors that provide security mechanisms often don't pay the costs when those mechanisms fail. Economists have spent decades developing tools to make sense of just this sort of off-kilter market system, so it's high time for information security managers to borrow their tools and expertise to measure and improve their company's cybersecurity. What are you waiting for?

LAWRENCE A. GORDON is Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance at the Robert H. Smith School of Business, University of Maryland. Write to him at [email protected].

ROBERT RICHARDSON is editorial director at the Computer Security Institute (CSI). Write to him at [email protected].No security breach is good, but the impact of some incidents is considerably worse--and tougher to measure--than that of others. To determine the indirect costs of cybercrime, Lawrence A. Gordon (co-author of the main article) and I led a team of researchers at the University of Maryland's Smith School of Business in examining the impact of information security breaches on corporations' stock market valuations.

Our findings: The direct costs typically associated with preventing or recovering from cybercrime--investments in intrusion-detection systems, lost productivity, overtime for IT staff to fix compromised systems--have all become an unfortunate but accepted part of doing business, and they rarely affect a company's revenue over time or its stock prices. The real financial damage done by cybercrime stems from breaches of confidence. Such breaches can drive down revenue over time, and stock market investors take that possibility into account by lowering their estimation of the worth of the company's stock. It's an indirect cost, and one companies pay only when customers feel their trust has been violated.Indeed, most cybercrimes don't have a significant effect on the stock market value of companies that suffer breaches, the study showed. Shareholders seem to understand that an incident with only a transitory effect--a virus briefly downing a bank's ATMs, for instance--won't send customers scurrying. But a leak of confidential information--an attacker spewing a bank's customer data across the Internet--could destroy customer confidence and create potential for lost revenue, causing the company's market value to plummet. In fact, companies that suffer a confidentiality violation lose more than 5 percent of their market value, on average, according to our research.

Bottom line: Companies that don't make confidential-data protection a priority risk shareholders' wrath. And that could be a high price to pay.

Dr. Martin P. Loeb is a professor at the University of Maryland's Smith School of Business. He has co-authored several articles on information security economics, and he is part of the team preparing the 2004 CSI/FBI cybercrime study. ~ By Martin P. Loeb