Upload
axyy
View
216
Download
0
Embed Size (px)
Citation preview
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial analysis of investments in information security
1/11
ECONOMIC AND FINANCIAL ANALYSIS OF INVESTMENTS ININFORMATION SECURITY
Zvonko apko1, SaaAksentijevi2, Edvard Tijan3
1 University of Rijeka, Faculty of Economics
Ivana Filipovia 4, Rijeka, CroatiaTel: +385 51 35 51 52 Fax: +385 212 268 E-mail: [email protected] Forensics and Consulting, Ltd.
Gornji Sroki 125a, Vikovo, CroatiaTel: +385 51 65 17 00 Fax: +385 51 65 17 81 E-mail: [email protected] University of Rijeka, Faculty of Maritime Studies
Studentska 2, 51000 Rijeka, Croatia
Tel: +385 51 33 84 11 Fax: +385 51 33 67 55 E-mail: [email protected]
MIPRO 2014
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial analysis of investments in information security
2/11
STATEMENT OF THE PROBLEM
In companies, investment value of assets (which are owned or controlled by an
enterprise and which produce certain revenue) is evaluated against the related costs
(for example, maintenance, or procurement of raw materials).
Assets are usually divided into material assets (machinery, buildings), non-material
assets (patents, software, goodwill) and a special form of assets capable of intrinsic
reproduction, called financial assets
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial analysis of investments in information security
3/11
STATEMENT OF THE PROBLEM
Information Security Management Systems, or ISMS, (technically speaking) consist of thefollowing components, organized in a hierarchical manner:
Organizational forms ensuring the compliance with legal regulations
Organizational information policy, or the knowledge of users and management regarding the
functioning and managing of ISMS's, resulting in adequate application of risk removal
techniques by using hardware, software and orgware, often formalized by security certification(e.g. ISO 27001:2005),
Computer hardware (servers, switches, computers, network devices, routers),
Computer software and applications.
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial analysis of investments in information security
4/11
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial analysis of investments in information security
5/11
DIFFICULTIES IN DETERMINING THE INPUT PARAMETERS OF
ECONOMIC ANALYSIS
Difficulties in determination of input parameters of financial analysis in information security are
the following:
The decisions about ISMS investments depend upon the risk assessment as a
professional/specialist activity The high level of substitutability of ISMS investments with the costs that can be considered
as operative costs often complicates investment decisions.
Software, hardware and telecommunication solutions obtained as long-term investments by
the enterprise usually imply the necessity of maintenance contracting
It is difficult to correctly predict the real residual value of certain information security
investments Small and medium enterprises often lack the specific knowledge necessary to adequately
assess the influence of information security investments on enterprise performance
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial analysis of investments in information security
6/11
CHARACTERISTICS OF INFORMATION SECURITY INVESTMENTS'
ECONOMIC ANALYSIS
Those items which reduce the economic potential of the project or solution are considered
expenses. In this context, the expenses may be:
Initial investments in information security solution or project
Cost of project or solution maintenance
Material expenses for using the solution (electricity, utilities)
External services related to the solution (consulting)
Training costs for solution implementation (permanent employees)
Training costs for solution usage (permanent employees) Gross salary for employees in charge of solution implementation (reduced to full time
equivalents)
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial analysis of investments in information security
7/11
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial analysis of investments in information security
8/11
CHARACTERISTICS OF INFORMATION SECURITY INVESTMENTS'
ECONOMIC ANALYSISSimilar to the economic flow method, unmodified financial flow method could also be applied to
information security solution investments only if the enterprise holds such solutions as assetsand leases them to other enterprises. Unlike the economic flow method, financial flow method
also takes into account sources of financing represented by cash inflow and obligations towards
sources of financing (outgoing interest), shown in the following table:structure/period 1
AVOIDED
EXPENSES ...
RESIDUALVALUE -
FINANCINGSOURCES 3.1+3.2
Own sources ...
Loans ...
Expenses 2.1+2.2+2.3+2.4+2.5+2.6+2.7
Security solution
investment ...
Maintenance
costs...
Material costs ...
External costs ...
Training costs
for solutionimplementation
...
Training costs
for solution
usage...
Gross salary ...
Installment(annuity) ...
NET EFFECT 1.+2.+3.-4.
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial analysis of investments in information security
9/11
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial analysis of investments in information security
10/11
CHALLENGES IN APPLICATION OF INTERNAL RATE OF RETURN
(ROR) METHOD
When using the internal rate of return method in the analysis of information security investments,
several facts should be taken into consideration:
This method could not be used when analyzing or comparing investments into multipleinformation security solutions, only when analyzing single investments due to the fact that theobtained results are not comparable
The internal rate of return implies reinvesting the positive cash flow in projects or solutionsthat have the similar rate of return, whether it is the case of reinvesting in similar solutions orother comparable solutions. For that reason, the internal rate of return method will be used inevaluating those projects in which the reinvested cash flow is directed into projects withlesser rate of return. This is especially true for security solutions or projects with high rates ofreturn, because enterprises have difficulties in finding comparable reinvestment projects withequally attractive rates of return.
As a rule, cash flows do not change from positive to negative and vice versa, and the lastcash flow is never negative. Therefore, the problem of multiple internal rates of return shouldnot exist.
The internal rate of return method will only provide a relative calculation of return for a givensecurity project or solution, not absolute.
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial analysis of investments in information security
11/11
ECONOMIC AND FINANCIAL ANALYSIS OF INVESTMENTS ININFORMATION SECURITY
Zvonko apko1, SaaAksentijevi2, Edvard Tijan3
1 University of Rijeka, Faculty of Economics
Ivana Filipovia 4, Rijeka, CroatiaTel: +385 51 35 51 52 Fax: +385 212 268 E-mail: [email protected] Forensics and Consulting, Ltd.
Gornji Sroki 125a, Vikovo, CroatiaTel: +385 51 65 17 00 Fax: +385 51 65 17 81 E-mail: [email protected] University of Rijeka, Faculty of Maritime Studies
Studentska 2, 51000 Rijeka, Croatia
Tel: +385 51 33 84 11 Fax: +385 51 33 67 55 E-mail: [email protected]
MIPRO 2014