This clearly demonstrates the benefit of considering the time value of money when evaluating information security alternatives--simply comparing the absolute dollars of benefits with costs won't suffice. In fact, it's possible for an investment to look worse under an NPV model than under a simple accounting-based ROI computation. Of course, the reverse may also be true, especially for projects that provide more than one year of benefits.
In short, NPV compares apples with apples over the entire life of an investment, whereas ROI and similar concepts are based on an accrual system of accounting and are short-term in focus. There are other ways around potential ROI limitations. One way is to think in terms of IRR, which is a time-adjusted rate of return. However, maximizing a company's IRR isn't consistent with maximizing its value. In contrast, maximizing NPV is consistent with maximizing the company's overall worth.
While these points may seem confusing, the message is clear: Information security managers must understand basic economic concepts to level the playing field during the budgeting process.So far, all we've considered is what might be called the economics of investments in information security. But economics as a discipline has a lot more tools in its kit beyond the ability to make decisions about investment advisability. Economics has also delved into what happens when the incentives in a market are misaligned. The manufacturer of an MP3 player has no direct incentive to prevent users from using its products to play music that infringes on a record producer's copyrights, for instance, but if the record producer loses revenue as a result, that has a real effect on the market. To the MP3 manufacturer, it's an "externality," or a "spillover effect."
The pollution emanating from a factory smokestack is a classic example of an externality. "The factory causing the pollution doesn't bear any of the costs of the pollution that are incurred downwind," says L. Jean Camp, an associate professor of public policy at the Kennedy School of Government at Harvard University and co-author of "Pricing Security", the first paper to argue that security is an externality. Similarly, if a company does a poor job at cybersecurity, other companies may be affected negatively. The recent MyDoom worm is a good example of how lax security by some can have a negative impact on others. If machines infected with a worm that, like MyDoom, doesn't harm the machine but carries out some other task without the owner's knowledge, Camp says, the owner doesn't have any direct incentive to spend money to defeat the worm. "It doesn't matter to you if your machines are being used for phishing and spamming all night--there's no marginal cost." The cost, in other words, is an externality to the owner of the infected machine.
One solution, Camp suggests, is to structure internal charges to promote timely patching. Vulnerability auditing might result in per-department lists of faults coupled with policies that force departments to fix each vulnerability or pay IT to do so. "It makes the direct costs such that, even ignoring the large external costs, the department wants to do the right thing," she says. "Economics is always about properly aligning incentives."
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
There are many network courses that can address your present job's priorities and help you gain the needed skills to keep pace with industry changes and new technologies.
