It keeps coming up, and I believe there are some misconceptions about Return on Investment and Return on Security Investment that should be clarified. Here are ten points to consider: 1) NPV does not compare to ROI as the NPV result is expressed in dollars and ROI is ultimately a percentage (of the investment dollars). In the case of cost centers, NPV is more consistently (and appropriately) compared to TCO, another measure expressed in dollars. NPV will be lower than TCO, unless the period in question is a year or less. 2) IRR is generally considered a better measure of return than ROI, and IRR is the return when NPV is set to 0. Again, IRR is a better, more complex way to measure in multi-year scenarios. 3) If you are going down the NPV/IRR road, then you have already bought into the concept of financial measurement and management in security. Congratulations. 4) All of these measures (TCO, ROI, NPV, IRR) use essentially the same inputs, with the time value of money measures requiring an extra estimate of cost of capital or other discount rate. 4) ROI in security typically comes by reducing your existing, known cost basis such that the net profit (in the broadest sense, of your organization) is higher. These are real costs that show up, or will show up in the case of anticipated ROI, in an organization’s financial statements. 5) The costs in security are often NOT sunk costs; they are operational costs. These costs are related to software, hardware, maintenance, outsourced charges, and salaries of support personnel. The activities involved may be related to incident prevention or incident recovery. 6) ROI in security is NOT the same as ROSI. 7) ROI in security is NOT the same as ROSI. 8) ROSI requires an estimate of the information asset value of the resources you are trying to protect, as well as an estimate of the probability of that resource being compromised. You need this in two separate scenarios in order to do a comparison. 9) ROSI compares the amount "saved" by reducing risk (i.e. that portion of a resource’s value that is "saved") to the amount invested. If a resource worth $1,000,000 has a 10% likelihood of compromise, then $100k is at risk. If you spend $50k to reduce that likelihood to 2%, then you "saved" $80k with that $50k investment for a ROSI of 160%. (Again, time value of money caveats apply). 10) ROSI financials don’t show up in any financial statements. You either believe them or you don’t, with whatever supporting evidence you have. Other pertinent posts:
Hi Pete,
In an earlier post you said “if you don’t want to call it ROI, that is fine – you can perform the same calculations to get to cost/benefit comparisons and TCO differences.”
Given that caveat I think I agree with everything you’ve written in those earlier posts and this one too.
The point I tried to make earlier was that there is a portion of operating budget under security that is regarded as a mimimum cost that comes from using inherently flawed IT systems. One does have the choice of spending nothing, but I suppose the time until you were owned, your data was tampered with or not available, your IP stolen and your customer’s trust was stolen might be measureable in hours, if not days.
If you really don’t have an option to opt-out, is it not really a sunk cost, no matter where it appears on the financial statment?