The New Economics of Information Security

As economists turn their attention to cybercrime prevention, information-security managers can benefit by borrowing a few tools of the trade.

As any victim of a significant cyberattack will tell you, there's a financial dimension to these crimes. Even for non-victims, there's a financial hit in implementing security measures to prevent losses. Firewalls cost money, and so do the salaries of the security professionals who manage them.

Yet, relatively little attention has been paid to the economics of information security. Generally, we hear about the exorbitant losses in the more spectacular cases, or about totals gleaned from the annual Computer Security Institute/FBI Computer Crime Survey. In fact, even the CSI/FBI survey doesn't do justice to the magnitude of business loss from cybercrimes (see "The Indirect Cost Of Cybercrime,").

Information-security managers trying to defend budget requests sometimes talk about return on investment, but with only mixed results. After all, how do you determine the exact ROI of a firewall? You usually don't see information-security managers applying capital-budgeting techniques, such as the net present value (NPV) or internal rate of return (IRR), to information-security infrastructure investments. Yet, CFOs use those techniques regularly, and department managers usually compete for funds based on them. Since information-security managers go up against other department managers for a share of the budget, it's to their advantage to catch up with their peers who specialize in capital budgeting.

When it comes to recognizing the benefit of mixing firewalls with financial forecasts, it's the economists who have taken the lead. Financial economists have been applying capital-budgeting (or investment) theory to information security for the past couple of years. It's an area made tantalizing by the paradox at its heart: The more successful the security investments, the less visible and less measurable are the results. In many ways, information-security investments are among the most intriguing subsets of cost-saving (or cost-avoidance) capital projects.

Security managers may also find that economic modeling techniques lead to better decisions, even apart from worries about cost-effectiveness.

"I go to security conferences where we sit around puzzling about what kind of metrics to use for measuring the results of security programs," says Adam Stone, a security management analyst for the financial-services industry. "The metrics we have right now for assessing vulnerability and for measuring the effectiveness of our investments are all based on subjective judgments. They're fundamentally flawed." He says we can learn from the methods of financial, statistical, economics and securities professionals who deal with these kinds of uncertainties all the time to predict and measure business effectiveness in a rational way.

Lack of metrics reflects the relative immaturity of the information-security industry, Stone says. "People in information security are often technicians, gearheads. Very few of us have come up through the ranks of accounting or financial management. So we don't think in those terms."

But that's changing. Those who do think in economic terms are grappling with ways to use ROI and NPV to provide economic justification for investments. One information-security manager at a Fortune 100 multinational corporation says that when he measures the ROI of intrusion-prevention systems, he includes the cost of remediation of network problems flagged by the system.

Bruce Schneier, security expert and author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World" (Copernicus Books, 2003), says, "Economics—not technology—determines what security technologies get used. These days, I feel like I do more economics than computer security."

Surpassing ROI

ROI, an output-input metric, can only be applied imperfectly to computer security because of the need to define the "return." Anecdotally, it's clear that some solutions offer benefits beyond security—for example, faster network throughput in a new-generation router that also supports VPNs—and ROI is calculated in terms of the associated benefit. That approach only partially considers the economics of the security investment. Here we can learn from statistics because we need to take into account the overall expectation of loss. Some losses are very expensive on average, but relatively unlikely to occur in any given year. Therefore, the numbers we plug into equations should reflect what we think we'll lose over time, including some years when we don't lose anything.

Furthermore, ROI doesn't take into account the time value of money. If you have $100 today, you can invest it and have more than $100 in a year's time. If you receive $100 a year from now, you'll be less well off than if you had that $100 today. To put it another way, if you get something less than $100 now, you'll be just as happy as if you received the full $100 in a year's time. The "somewhat less than $100" that you get now is the NPV of the $100 you've been promised in a year. So, rather than the traditional accounting notion of ROI, economists prefer to talk in terms of NPV or IRR, the latter being a time-adjusted notion of rate of return.

There's nothing hypothetical about the applicability of these metrics to security budgeting: A growing number of security managers are using NPV as a metric to quantify the benefits of their expenditures. In a study by Lawrence Gordon, co-author of this article, and Martin Loeb, another professor at the University of Maryland's Smith School of Business, about one-third of the respondents claim that concepts like NPV are becoming important factors in weighing the costs and benefits of a security investment. And many CFOs require such analysis from information-security managers just as they do from other managers.