-
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial
analysis of investments in information security
1/11
ECONOMIC AND FINANCIAL ANALYSIS OF INVESTMENTS ININFORMATION
SECURITY
Zvonko apko1, SaaAksentijevi2, Edvard Tijan3
1 University of Rijeka, Faculty of Economics
Ivana Filipovia 4, Rijeka, CroatiaTel: +385 51 35 51 52 Fax:
+385 212 268 E-mail: [email protected] Forensics and
Consulting, Ltd.
Gornji Sroki 125a, Vikovo, CroatiaTel: +385 51 65 17 00 Fax:
+385 51 65 17 81 E-mail: [email protected] University of Rijeka, Faculty
of Maritime Studies
Studentska 2, 51000 Rijeka, Croatia
Tel: +385 51 33 84 11 Fax: +385 51 33 67 55 E-mail:
[email protected]
MIPRO 2014
-
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial
analysis of investments in information security
2/11
STATEMENT OF THE PROBLEM
In companies, investment value of assets (which are owned or
controlled by an
enterprise and which produce certain revenue) is evaluated
against the related costs
(for example, maintenance, or procurement of raw materials).
Assets are usually divided into material assets (machinery,
buildings), non-material
assets (patents, software, goodwill) and a special form of
assets capable of intrinsic
reproduction, called financial assets
-
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial
analysis of investments in information security
3/11
STATEMENT OF THE PROBLEM
Information Security Management Systems, or ISMS, (technically
speaking) consist of thefollowing components, organized in a
hierarchical manner:
Organizational forms ensuring the compliance with legal
regulations
Organizational information policy, or the knowledge of users and
management regarding the
functioning and managing of ISMS's, resulting in adequate
application of risk removal
techniques by using hardware, software and orgware, often
formalized by security certification(e.g. ISO 27001:2005),
Computer hardware (servers, switches, computers, network
devices, routers),
Computer software and applications.
-
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial
analysis of investments in information security
4/11
-
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial
analysis of investments in information security
5/11
DIFFICULTIES IN DETERMINING THE INPUT PARAMETERS OF
ECONOMIC ANALYSIS
Difficulties in determination of input parameters of financial
analysis in information security are
the following:
The decisions about ISMS investments depend upon the risk
assessment as a
professional/specialist activity The high level of
substitutability of ISMS investments with the costs that can be
considered
as operative costs often complicates investment decisions.
Software, hardware and telecommunication solutions obtained as
long-term investments by
the enterprise usually imply the necessity of maintenance
contracting
It is difficult to correctly predict the real residual value of
certain information security
investments Small and medium enterprises often lack the specific
knowledge necessary to adequately
assess the influence of information security investments on
enterprise performance
-
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial
analysis of investments in information security
6/11
CHARACTERISTICS OF INFORMATION SECURITY INVESTMENTS'
ECONOMIC ANALYSIS
Those items which reduce the economic potential of the project
or solution are considered
expenses. In this context, the expenses may be:
Initial investments in information security solution or
project
Cost of project or solution maintenance
Material expenses for using the solution (electricity,
utilities)
External services related to the solution (consulting)
Training costs for solution implementation (permanent
employees)
Training costs for solution usage (permanent employees) Gross
salary for employees in charge of solution implementation (reduced
to full time
equivalents)
-
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial
analysis of investments in information security
7/11
-
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial
analysis of investments in information security
8/11
CHARACTERISTICS OF INFORMATION SECURITY INVESTMENTS'
ECONOMIC ANALYSISSimilar to the economic flow method, unmodified
financial flow method could also be applied to
information security solution investments only if the enterprise
holds such solutions as assetsand leases them to other enterprises.
Unlike the economic flow method, financial flow method
also takes into account sources of financing represented by cash
inflow and obligations towards
sources of financing (outgoing interest), shown in the following
table:structure/period 1
AVOIDED
EXPENSES ...
RESIDUALVALUE -
FINANCINGSOURCES 3.1+3.2
Own sources ...
Loans ...
Expenses 2.1+2.2+2.3+2.4+2.5+2.6+2.7
Security solution
investment ...
Maintenance
costs...
Material costs ...
External costs ...
Training costs
for solutionimplementation
...
Training costs
for solution
usage...
Gross salary ...
Installment(annuity) ...
NET EFFECT 1.+2.+3.-4.
-
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial
analysis of investments in information security
9/11
-
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial
analysis of investments in information security
10/11
CHALLENGES IN APPLICATION OF INTERNAL RATE OF RETURN
(ROR) METHOD
When using the internal rate of return method in the analysis of
information security investments,
several facts should be taken into consideration:
This method could not be used when analyzing or comparing
investments into multipleinformation security solutions, only when
analyzing single investments due to the fact that theobtained
results are not comparable
The internal rate of return implies reinvesting the positive
cash flow in projects or solutionsthat have the similar rate of
return, whether it is the case of reinvesting in similar solutions
orother comparable solutions. For that reason, the internal rate of
return method will be used inevaluating those projects in which the
reinvested cash flow is directed into projects withlesser rate of
return. This is especially true for security solutions or projects
with high rates ofreturn, because enterprises have difficulties in
finding comparable reinvestment projects withequally attractive
rates of return.
As a rule, cash flows do not change from positive to negative
and vice versa, and the lastcash flow is never negative. Therefore,
the problem of multiple internal rates of return shouldnot
exist.
The internal rate of return method will only provide a relative
calculation of return for a givensecurity project or solution, not
absolute.
-
8/12/2019 Prezentacija MIPRO 2014 - Economic and financial
analysis of investments in information security
11/11
ECONOMIC AND FINANCIAL ANALYSIS OF INVESTMENTS ININFORMATION
SECURITY
Zvonko apko1, SaaAksentijevi2, Edvard Tijan3
1 University of Rijeka, Faculty of Economics
Ivana Filipovia 4, Rijeka, CroatiaTel: +385 51 35 51 52 Fax:
+385 212 268 E-mail: [email protected] Forensics and
Consulting, Ltd.
Gornji Sroki 125a, Vikovo, CroatiaTel: +385 51 65 17 00 Fax:
+385 51 65 17 81 E-mail: [email protected] University of Rijeka, Faculty
of Maritime Studies
Studentska 2, 51000 Rijeka, Croatia
Tel: +385 51 33 84 11 Fax: +385 51 33 67 55 E-mail:
[email protected]
MIPRO 2014
