Chapter 58 Identifying the Business Value of Information Security

Lucas Cardholm

Coromatic Group, Sweden

ABSTRACT

Management may see information security as an inhibitor to daily operations if the investment is not well aligned with current business activities or is presented in financial terms not relevant to their agenda.

INTRODUCTION

When top level management makes investment decisions it strives to find a balance between risk and reward for the company to meet the overall goals and ambitions. These goals could be de­fined as single year financial targets combined with annual budgets and rolling forecasts or they could be related to more long-term metrics used to drive a change.

Since 2008 we have witnessed unprecedented changes in the global economic environment that has presented new risks and challenges combined with new technologies, where some have helped improve information security and some have brought new risks and concerns.

Many security professionals struggle with the fact that costs associated with information security incidents can have large components which are difficult to quantify. Information security deci­sions still need not be taken with a complete lack of quantified value.

DOI: 10.4018/978-1-4666-6268-1.ch058

.

If investments in information security are as­sessed alongside other investment projects it helps to consider them on an equal footing, implying the use of similar (and ideally the same) methods of financial cost projection. Benefits that cannot be measured with quantitative values may mean less to senior management. They may see information security as an inhibitor to their daily operations if the investment is not well aligned with current business activities or is presented in financial terms that seem not relevant to their agenda (Tsiakis and Pekos, 2008).

This chapter is aimed at providing information security professionals with a brief introduction to performing cost benefit analyses of informa­tion security investments and presenting them to management in order to bridge the gap between security professionals and business leaders.

It is based on recent reports and previous research on the topic, and should be considered as a summary only. For a deeper analysis and broader perspectives on obtaining support and funding from senior management, please refer to the full reports.

The Need for Alignment to Business Needs

Over the past several years, we have witnessed unprecedented changes in the global economic environment. Increased pressure to improve profit­ability, coupled with increased government and industry regulations and austerity measures have presented new risks and challenges - challenges that many organisations are now struggling to address. We also witnessed new technologies in­troduced and adopted, some that helped improve information security and some that brought new risks and concerns.

The professional services firm Ernst & Young (2012) has conducted research on the impact of the downturn in the market by conducting more than 50 000 direct meetings with senior executives since 2008 as well as performing annual bench­mark studies, the latest published in December 2012, run by the Economist Intelligence Unit (EIU) surveying 1,500 C-suite, board directors and senior managers from around the world.

As with earlier studies, Ernst & Young have factored out the impact of sector and distinguished between the highest and the lowest quartile of performers, in both revenue and EBITDA growth, to identify specific patterns of action that might explain the difference in performance. Top level management could use this study, and others, to help define priorities for investments to meet the overall goals and ambitions of the company.

Four key areas have been identified where high performers are significantly ahead of their competitors: customer reach, operational agility, cost competitiveness and stakeholder confidence (see Table 1).

Companies researched share that information is a fundamental asset to them. Information se­curity is therefore critically important to protect data against a wide variety of threats, such as unauthorized disclosure, data errors or loss of information.

Table 1. Identified key areas of high performing companies 20^)8-2012. Source: Ernst & Young.

The annual Global State of Information Se­curity® run by the professional services firm PwC (2012) shows that from 2008 to 2009 there was a significant drop in respondents expecting increased information security budgets, reflect­ing the initial impact of the financial crisis.

According to the PwC study shown in Figure 1, organisations that consider themselves leaders in the field of information security are much more likely than other companies to employ integrated approaches and frameworks that combine compli­ance, privacy and data usage, security, and identity theft. They are less likely to cut security spend­ing and more likely to increase it. They measure financial losses more thoroughly, and are much better aligned with overall business strategy than non-leaders. Finally, leaders are far more aware of what’s going on in their organisations than the average respondent. On question after ques­tion, either none - or a very small fraction of the leading companies - said they did not know the answer, while “do not know” responses among the general respondent population routinely registered 15% or more.

Similar findings are made in other surveys as well, where the number of respondents who indicate that their information security strategy is aligned to their IT strategy and to their business strategy has risen dramatically since 2008 (Ernst & Young, 2012)).

In short, information security improvements increase compliance and reduce risks, making security breaches less likely or less costly - cre­ating bottom-line business benefits, as shown by ENISA - the European Network and Information Security Agency, working for the EU Institutions and Member States (ENISA, 2008).

MAIN ACTIVITIES TO ENSURE ALIGNMENT TO BUSINESS NEEDS

When planning for an information security in­vestment it is essential to know what areas of improvement are prioritised in the organisation. All investments should be aligned to the business objectives and the executive agenda.

Figure 1. Percentage of respondents who believe that information security spending will increase over the next 12 months, 2007-2012

Source: PWC

Take a look at the four key areas again - how will the proposed investment contribute to the improvement in any of the areas identified by management as critical? Does the organisation use any other set of business goals or priorities to be aligned to?

The typical investment approval process in­cludes the following aspects to consider (Weill and Ross 2004):

• How much to spend.

• What to spend it on.

• How to reconcile the needs of different stakeholders.

There is a need to ensure that the governance model of the organisation is understood properly. Depending on what key performance area that is being supported by the information security investment, there will be different stakeholders who need to take appropriate actions. Stakeholder aspects to consider:

• Who makes investment decisions?

• How are investment decisions measured in terms of effective management?

• How will these decisions be captured and monitored in financial terms?

Many information security initiatives provide value to the company by managing identified risks through reduced incident costs. Other security pro­grams aim at improving governance effectiveness or meeting compliance requirements. Regardless of which, they need to be clearly aligned to one or several business objectives that guide the leader­ship team making the investment decisions.

If the information security professional is not fully aware of the agenda of the organisation the proposed investment may not be realised, not because the investment in itself would be a poor investment, but simply because the needs it ad­dresses are not relevant to the management agenda that has developed since the financial crisis started.

In 2004 the Massachusetts Institute of Tech­nology’s Sloan School of Management research presented three alternative financial performance models being most relevant for IT governance: asset utilisation, profit and growth (Weill & Ross, 2004). These models can still be found reflected in the financial calculations used for investment requests, as will be shown later in this chapter.

The structure of this chapter is in line with general principles for investment processes and presents the five key steps to take for improving chances of approval to investment requests (see Table 2).

IDENTIFYING MAIN RATIONALE AND STAKEHOLDERS

The investment process starts when there are identified needs for risk mitigation (see Figure 2). The main rationale for these needs vary and have different implications on what methods to apply for a useful cost benefit analysis.

There may be a risk that the proposed in­formation security investment could be seen as driving costs or a source for productivity loss in operations. Therefore it is useful to ensure that the investment comes out as a positive investment that enables or supports business targets (Tsiakis and Pekos, 2008).

Main aspects to consider are:

• Why should we, as an organisation, invest in this security initiative?

• What is the precise effort in question?

• Who in the organisation will be impacted by this effort?

• Who do we need support and participation from?

• What is the value of that effort to the organisation?

Table 2. Approach for information security investments

Figure 2. Identifying main rationale and stakeholders

• How are we going to substantiate or mea­sure that value?

Business drivers create the main rationale for information security investments. One driver is due to someone within or outside the company identifying risks or gaps in the current control environment that inhibits profitability or growth. Another business driver is when security mecha­nisms can enable cost reductions in operations through increased efficiency or effectiveness. A third business driver is when there are opportu­nities to improve the company’s asset utilization (see Table 3).

Case Example: Privacy Compliance Benefits for Data Centre Provider

This case shows how a risk analysis regarding the management of privacy was developed to present benefits aligned to business goals as part of the investment request.

The objective with the engagement was to support the data centre outsourcing company with IT legal skills regarding management of end-customer data within the area of outsourced services. It was also to match those to the business objectives of operational cost reduction, growth and lowered liability risks. This was a moving target which required change readiness for the outsourcing organisation taking over account­ability for lowering liability risks while meeting contractual obligations at a set price. The past 40 years have shown that privacy and data protection have never been static (Gutwirth et al., 2011).

In this case there were four main phases in the process of winning and managing a customer contract that were analysed. During all these phases the outsourcing provider handled issues related to the processing of end-customer personal data.

Outsourcing phases that were analysed:

1. Negotiation and win of contracts

2. Transition of customer operations to IT outsourcing provider

3. Contract fulfilment

4. Standardisation and centralisation of opera­tions to global data centres

The main risk areas in Table 4 were identified:

A set of mitigating actions were proposed to management and as all of the risk areas were addressed in terms of alignment to business ob­jectives, these mitigating actions were easily dis­cussed and accepted by the relevant stakeholders.

This example shows that the commonly used risk analysis can be used to produce business aligned investment requests in the area of privacy management, which othwerwise often is seen as a topic related mainly to regulatory compliance and a cost driver.

CAPTURING COSTS AND BENEFITS

By measuring information security metrics, both non-financial and financial, the security profes­sional can improve the security organisation’s visibility and standing within the company as well as indicate the value of information security

Table 3. Business drivers and information security initiatives

Table 4. Privacy risk areas, IT outsourcing provider

investments (see Figure 3). Despite the clear de­mands and advantages, security metrics are too often poorly developed or based on data that is ineffective to provide measurement of financial benefits, or costs, to the company.

Many security professionals struggle with the fact that costs associated with information security incidents can have large components which are difficult to quantify as security design is based on quantitative or qualitative analysis where especially qualitative analysis can be difficult to transform into financial consequences (Tsiakis, 2010). This is not to say that organisations have to make their information security decisions with a complete lack of quantified financial value. Quite to the contrary, in the manner of any investment request, there are opportunities to collect data and trend information in order to measure the effective­ness of information security investments, as for any investment request (Gordon and Loeb, 2006).

The baseline requirement on metrics used is that they should be quantifiable indicators which can be obtained objectively and are repeatable. The repeatability is important if there is a need to make comparisons of earlier and later values or to find trends. This first requirement is often the reason for security professionals to flinch from measuring security. But information security is not a feeling or a notion. If risks are real, countermeasures must also be substantial which should be possible to demonstrate (von Faber, 2009).

Another important aspect is that the change in measured metrics must be possible to connect to specific information security controls improve­ments. As a result improvements in controls will show changes in the outcome of measurements.

Figure 3. Capturing costs and benefits

The metrics must also provide enough informa­tion to enable the security professionals to add or modify actions in a systematic manner. Specifi­cally, the measurement should directly be aligned with the company’s goals.

Still, as with any other investment made in a company, the value propositions for security investments need to be dependent on assumptions and simplifications, as the cost for measuring anticipated effects would otherwise run the risk of outweighing the potential value gained in an improved control environment (Xie and Mead, 2004).

Metrics used for measuring risk mitigation cannot be regarded as purely technical issues as they involve different stakeholders with differ­ent needs (Tsiakis, Kargidis and Chatzipoulidis, 2013). Typical metrics with financial impact can be related to the probability, frequency, character, and magnitude of future events, e.g. threats and attacks. In the case of compliance it could be related to employee-time spent on non-productive correc­tions of information security breaches or the cost of fines and penalties for compliance breaches.

Using metrics to measure improvements based on taken mitigating actions should not be confused with methods for identifying potential benefits of security investments. Security metrics are used to measure what has already happened while potential benefits, if the investment is made, are identified using other methods, where risk analysis and business case analysis are two common approaches.

Risk Analysis

The Information Technology Governance Institute states that a key goal of information security is to reduce adverse impacts on the organisation to an acceptable level of risk. Therefore, an effective security programme will show a trend of impact reduction and quantitative measures can include trend analysis of impacts over time (Information Technology Governance Institute, 2003).

The fundamental purpose of internal control measures is to prevent or detect security breaches. If the solution prevents most incidents before they materialise, it could be deemed superfluous by management unless it is made transparent that the specific investment made an impact. On the other hand, if the implemented solution detect numerous of incidents that were not previously identified, there is a risk that stakeholders see this as a sign of ineffective information security governance, believing the number of incidents have risen.

Risk analysis is the most complex method of estimating profits (Kotler and Keller, 2006). Due to the uncertainties involved in risk measurement and the concept of benefits being based on low­ered “value-at-risk,” the risks are often assessed in qualitative non-financial terms, e.g. “High, Medium, Low” or 1-10. These estimates are then presented in heat maps, with an example shown below in Figure 4. Evaluating risks in this man­ner enables participants the opportunity to have a focused discussion, disclose opinions, review facts and arrive at a clearer definition and understand­ing of the risks - shared by all.

The risk assessment process is a method of determining what kind of controls are needed to protect an organisation’s information systems and other assets and resources not just adequately, but cost-effectively. The terms risk analysis, risk assessment, business impact analysis (BIA), criticality analysis, and threat- or vulnerability assessment are all used in this context (Tsiakis, 2010). Experience has shown that the business impact analysis is often seen as clearly connected to business managers’ areas of interest, where loss cost calculations may be easier to quantify in financial terms than general probabilities for incidents to occur.

The risk analysis is useful for giving appro­priate data input to the financial analysis and ef­fectiveness measurement of information security management. The risk analysis is performed best as top-down scenario oriented, e.g. business units quantify costs of unavailability based on the dura-

Figure 4. Sample risk analysis heatmap

tion and costs due to loss of confidentiality while the IT department quantify costs of loss of integrity and the probability of these security issues. This results in the business impact of security risks and allows determining the influence of security on the necessary capital charge and the expected losses (Locher, 2005).

Business Case Analysis

A common approach used for strategic investment decisions in financial terms is the business case analysis, or BCA. The purpose of business case analysis is to make systematically sound strategic decisions under uncertainty. One of the risks with using business case analysis is that it can often underestimate uncertainty in order to create a vi­sion of a future state precise enough to be captured in financial terms. Another risk is if managers are unable to find a strategy that works under tradi­tional analysis, they may abandon the analytical rigor altogether and base their decisions on gut instinct (Hugh, Kirkland and Viguerie, 2000).

Rarely do managers know absolutely noth­ing of strategic importance, even in the most uncertain environments. It is often possible to identify trends, such as market demographics or risk exposure. There will always be an amount of uncertainty even after the best possible analysis has been made, but still quite a bit can be known despite this.

Ifthe future is predictable enough, the manager can develop a single forecast that is a precise for the investment and be ready for financial calcula­tions. If there is too much uncertainty, the future can be described as one of several scenarios. The analysis will not identify which outcome will actually come to pass, but it may help establish a general sense of outcome. Here the security professional must develop a set of scenarios based on their understanding of how the uncertainties might play out and each alternative may require different financial models.

Some aspects to consider with regards to de­velopment of business cases:

• Develop only a limited number of sce­narios as the complexity of managing more than four or five tend to slow down decision-making.

• Avoid developing redundant scenarios that have no unique implications for strategic decision making.

• Develop the scenarios to collectively ac­count for the probable range of future out­comes and not necessarily the entire pos­sible range.

• Typically a set of “base case,” “worst case,” “best case” and “do nothing case” should cover the needs for assessing an informa­tion security investment.

When the future scenarios are being developed to a suitable level of detail, the financial implica­tions of costs and benefits need to be considered as there may be a need to iterate between scenario design and the application of financial calculations to find a useful cost benefit analysis.

Case Example: Business Case for Mobile Security Data Centre

This case, provided by Coromatic Group, shows how business case modelling helped the Business Continuity Program unit of a government agency to invest in mobile security data centres for use in crises management situations.

The objective with the investment was to have access to several fully equipped 20 feet containers with eight 19” server rack capacity, self-sustained with built-in cooling and power generation. The intended purpose of the data centres was to oper­ate field crises management command centres in case of emergency.

When making the stakeholder assessment of needs to be met, there was a clear understanding of the operational benefits for the proposed equip­ment as this was needed to meet the government expectations of the agency’s capacity in business continuity. However, the investment had not been budgeted for in full and at senior executive level there was a general ambition to reduce the amount of assets owned by the agency.

In the business case scenarios that were pre­pared, one of them was to pay for the mobile data centres as a service instead of acquiring them to be owned as assets. Table 5 summarizes the fi­nancial opportunities and risks identified in that specific scenario.

After assessing the different scenarios, includ­ing other aspects than purely financial opportuni­ties and risks, the BCP function decided to present the investment case as a service contract to the executive management. The request was approved.

Business Benefits

The benefits expected from an investment need to be collected and quantified so that manage­ment may weigh pros and cons of the proposed investment.

As we have seen, market situations and the strategies of a company change over time. By identifying the relative importance of different value disciplines, the information security profes­sional is able to understand what the information security investment needs to support. In general terms these fall into different categories (Weill and Ross, 2004):

Table 5. Financial opportunities and risks in business case scenario, government agency. Scenario: Mobile security data centres as-a-service - financial aspects

• Cost-effectiveness in operations, i.e. oper­ating expenditures (opex)

• Effective use of assets, i.e. capital expendi­tures (capex)

• Business flexibility

• Growth

These value disciplines are not taken into account by security professionals often enough. From a business manager’s perspective any se­curity investments may seem counterintuitive to the business needs, no matter which of the four disciplines may be driving their agenda. This is why it is essential to ensure a business alignment of the proposed information security investment.

Different industry sectors hold different levels of maturity with regards to appreciating informa­tion security as an enabler to business operations. The banking industry is a clear-cut example where both legislators and industry actors concur that risk mitigation in specific areas are required to be a fully licensed operator. It is also an industry where numerous different security governance frameworks are applied to meet business benefits by covering one or several of those risk areas. An example of how to adopt these in the e-banking area, in order to meet the specific requirements stipulated by that business model has been pre­sented by Tsiakis, Chatzipoulidis and Kargidis (2013), shown in Figure 5.

Figure 5. E-banking risks from an IT Security Governance (ITSG) framework perspective

If the organisation is relying on more direct strategies for information security to benefit the overall business agenda, security investments could be assessed using the categories presented by Ernst & Young (2012):

• Customer reach

• Operational agility

• Cost competitiveness

• Stakeholder confidence

Benefits that are identified but cannot be mea­sured with quantitative values may mean less to senior management. Therefore, when analysing information security investments that may seem less tangible, e.g. improvement ofinternal controls in a security framework or information security awareness trainings, the principles for effective governance can be applied (Weill and Ross, 2004).

Case Example: Measuring Governance Effectiveness

The following example was provided by ENISA (2008) to show the measurement of governance effectiveness at a manufacturer of consumer goods. There was a need for the security professional to present the relevance of a proposed information security program which was to run for 3 months, involving approximately 100 employees working in the financial controlling functions throughout the business units. The purpose of the training was to strengthen the commitment to manual internal controls within the financial reporting processes.

The Chief Financial Officer, CFO, and six other senior managers were interviewed on how the initiative could fit with the corporate agenda. The results of the interviews are presented in Table 6.

Box 1.

By using the respondent data the security professional was able to calculate the governance effectiveness of the proposed initiative as shown in Box 1.

In order to complete the investment request the result of 63 needs to be set in relation to other com­peting investment requests using the same model for governance effectiveness, or be measured against a baseline of a minimum threshold to be met.

If this threshold is below 63 the investment could be positively assessed from a benefits per­spective. However, the cost elements also need to be taken into consideration before a formal investment decision is taken.

(4,2 ? 4 + 2,2 ?1,1 + 4,6 ? 3,5 + 3,2 ? 3,0) ? 100 „

Governance effectiveness =----------------------------------------------------------- = 63

5 ? (4,2 + 2,2 + 4,6 + 3,2)

Table 6. Example of results from a consumer products manufacturer

Investment Costs

The information security investment cost elements need to be put into the proper financial context of the organisation.

The costs will vary greatly from one organisa­tion to another depending on their structure, avail­ability of supporting assets, e.g. automatic moni­toring tools, and past experience from running previous security projects. Despite this, assessing the costs for a security investment is seldom the most challenging part of the cost benefit analysis, as these can entail proposals from vendors and be combined with estimated labour costs for executing an initiative. If investment costs for information security are assessed alongside other investment projects it helps to consider them on an equal footing, implying the use of similar, ideally the same, methods of financial cost projection, as the principles of investment requests do not need to differ between very diverse areas of investments. The U.S. Department of Housing and Urban De­velopment (2002) has developed a cost benefit model that could serve as an illustrative example.

A more comprehensive list of commonly used formulas is found in the Appendix to this chapter.

Case Example: Total Cost of Ownership for an Airline Company

The following example was provided by ENISA (2008) to show the investment aspects at an Air­line company. It shows common cost elements that can be collected by an information security professional without prior financial experience.

The airline company was planning to run an information security awareness programme. In order to get approval for the plans a budget was produced that showed the major cost elements, as seen in Table 7.

Despite not having identified any benefits, it is possible to perform a TCO calculation (Total Cost of Ownership).

The only variables to be added is how many training sessions were planned (in this case 20 training sessions were run at a cost of ˆ 100 each) and for how long the awareness initiative was to be run as a structured programme. The running time is used to normalize all investments across a portfolio of investments. In this case the time frame was 2 years.

Table 7. Information security awareness costs: Airline Corporation

The TCO formula would look like Equation 1 in Box 2. In the case of the Airline Corpora­tion, the results of the TCO formula looked like Equation 2 in Box 2.

As can be seen from the equations in Box 2, the normalized TCO for this information security awareness programme was ˆ 53 400, ready to be compared with competing investments.

CALCULATING

PERFORMANCE METRICS

When a combination of quantifiable financial metrics to satisfy stakeholder needs have been identified, the security professional should con­sider what the aim of the investment is to ensure the selection of proper financial models (see Fig­ure 6). Security investments rarely exist for their own sakes; they are enablers of other investments (Tsiakis and Pekos, 2008).

A security investment could support profit­ability or growth for the company by mitigating unacceptable risks in new services, products or when entering new markets. It could even drive these aspects if security is a critical component of making the product or service relevant to the market at all. Another purpose for the investment could be to drive cost reduction in operations (lowering opex) or improving the use of assets owned by the company (lowering capex). If the aim is to lower opex this is often achieved through process improvements and increased automation, while reduced capex could be achieved through divestment of assets and increasing the use of outsourced services, e.g. cloud based security services.

Business managers tend to see information security as an inhibitor to their daily operations if the investment is not well aligned with their current business activities or is presented in financial terms

Box 2.

Figure 6. Calculating performance metrics

that seem irrelevant to their agenda. With regards to the financial metrics of a cost benefit analysis, some formulas are clearly focused on one aim or the other. For example Total Cost of Ownership does not consider profits, as shown previously in this chapter, while Economic Value Added, reflects growth as a pure measure of value-add to shareholders. The more commonly used Net Present Value or Internal Rate of Return would consider both aspects. Despite this, there are no clear-cut lines for when to use which of all the different calculations available (Cardholm, 2006).

Iteration is Essential

The financial aspects need to be considered not only during the financial calculation, since the collection of non-financial data helps identify and quantify key performance indicators and vari - ables used in the financial part of the cost benefit analysis. Iteration also helps gaining buy-in along the way from stakeholders in operations and the business units. As a consequence the security professional needs to perform the non-financial and financial parts of the cost benefit analysis iteratively to be able to identify and capture rel­evant values for the investment request (Hyde, Regelman, and Kanagasabai, 2008).

• The iterative process of using financial cal­culations and non-financial metrics is criti­cal to success.

• Once the financial metrics have been iden­tified, the final calculations are seldom challenging to a professional with a finan­cial background.

Validating investment

RATIONALE

Before presenting the investment request to the decision makers, the security manager should ensure to validate how the proposed investment will fit with the decision makers’ key strategies and goals (Figure 7).

To minimise risks that the proposed informa­tion security investment could be seen as driving costs or be a source for productivity loss in opera­tions it is useful to re-assess that the investment comes out as a positive investment that enables or supports business (ENISA, 2008).

The main aspects to consider were presented earlier in this chapter:

• Why should we, as an organisation, invest in this security initiative?

• What is the precise effort in question?

• Who in the organisation will be impacted by this effort?

• Who do we need support and participation from?

• What is the value of that effort to the organisation?

Figure 7. Validating investment rationale

• How are we going to substantiate or mea­sure that value?

At this stage of the investment request prepara­tion these questions should be possible to respond to in a transparent way to ensure that no major perspectives have been left out of the cost benefit analysis.

PRESENTING INVESTMENT REQUEST

Management at every level and in every organisa­tion takes decisions every day about how to focus and balance company resources, i.e. people, time and money (Figure 8). Every day, almost every one of those managers will be asked to change something about that focus and balance. The general result of all of this is that many people naturally develop a habit of rejecting ideas almost as a reflex. Even if some requests are approved, others are bounced, and the rest are asked to “redo the business case” or “provide more information.”

To avoid such situations the security manager should meet the culture of preferred format for presenting information to management in the company. Some organisations thrive on structured memorandums, while others expect bound reports with colour-coded covers. The approach in Table 8 for preparing and presenting the information security investment is provided with the “slide presentation” style in mind, but can be adapted to fit your organisations preferences (ENISA, 2008).

Figure 8. Presenting investment request

Table 8. Approach for presenting to management

CONCLUSION

While this chapter has shown that information security improvements increase compliance and reduce risks, making security breaches less likely or less costly - which means creating bottom-line business benefits - there is still a need for security managers to focus on quantifying those benefits in financial terms.

In a study performed by Gordon and Loeb (2006) it was presented that senior information security professionals do use some form of finan­cial analysis in budgeting for information security. Some of the participants approached information security expenditures with a formal Net Present Value (NPV) analysis, commonly used for many types of investments in companies. Other respon­dents used modified financial analyses with less emphasis on formally quantifying the business benefits.

An important aspect to consider is that secu­rity professionals should keep using the tools and methods developed by security researchers and industry actors, as this provides the foundation for actually managing security. However, by ap­plying relatively simple financial calculations, the security professional can also make the investment case more clearly understood for senior manage­ment that may be less capable in security matters.

A point that should not get lost is that the cost benefit analysis is not an isolated tool for turn­ing security metrics into financial values for its own sake. It should be built on the fundamental understanding of stakeholder needs so that it is useful as a tool to present the investment request in ways that meet those needs as well as the overall business drivers of the organisation.

Categories of business drivers to consider:

• Profitability or growth

• Cost reduction in operations

• Improved asset utilisation

If investments in information security are as­sessed alongside other investment projects, and they usually are, it helps to consider them on an equal financial footing. This implies using simi­lar, or ideally the same, financial cost projection methods to make sure security gets no less op­portunities of funding.

It may be worthwhile considering that busi­ness benefits that are identified but cannot be measured with quantitative values may mean less to senior management. This makes the challenge of capturing and measuring the intangible benefits of information security all the more important. Management may see information security as an inhibitor to the daily operations if the investment is not well aligned with current business activities or is presented in financial terms not relevant to their agenda (ENISA, 2008).

Presentation should not be overlooked, but before presenting the investment request, the se­curity manager should validate that the proposed investment will fit with the decision makers’ key strategies and goals - just one more time.

REFERENCES

Anderson, R., Bohme, R., Clayton, R., & Moore, T. (2009). Security economics and European policy. In Proceedings of ISSE 2008 Securing Electronic Business Processes, (pp. 57-76). ISSE.

Cardholm, L. (2006). Adding value to business performance through cost benefit analyses of information security investments. (MBA Thesis in Marketing). University of Gavle.

Demetz, L., & Bachlechner, D. (2012). To invest or not to invest? Assessing the economic viability of a policy and security configuration management tool. Paper presented at 11th Annual Workshop on the Economics of Information Security (WEIS 2012). Berlin, Germany.

ENISA. (2008). Obtaining support and funding from senior management while planning an aware­ness initiative. Retrieved January 20, 2013, from http://www.enisa.europa.eu/

Ernst & Young. (2012a). Fighting to close the gap - Ernst & Young's 2012 global information security survey. Retrieved December 19, 2012, from http://www.ey.com/

Ernst & Young. (2012b). Growing beyond - How high performers are accelerating ahead. Retrieved December 19, 2012, from http://www.ey.com/

Gutwirth, S., Poullet, Y., De Hart, P., & Leenes,

R. (2011). Computers, privacy and data protec­tion: An element of choice. Berlin: Springer. doi:10.1007/978-94-007-0641-5

Hugh, C., Kirkland, J., & Viguerie, P. (2000). Strategy in an uncertain world. McKinsey Quar­terly. Retrieved June 3, 2013, from http://www. mckinsey.com/

Hyde, P., Regelman, R., & Kanagasabai, K. (2008). The value of operations using metrics to measure performance in financial services. Booz & Company.

Information Technology Governance Institute. (2003). Board briefing on IT governance. Author.

Kotler, P., & Keller, K. (2006). Marketing manage­ment. Upper S addle River, NJ: Pearson Education.

Lawrence, G., & Loeb, M. (2006). Budgeting process for information security expenditures. Communications of the ACM, 49(1), 121-125. doi:10.1145/1107458.1107465

Locher, C. (2005). Methodologies for evaluating information security investments - What Basel II can change in the financial industry. In D. Bartmann, F. Rajola, J. Kallinikos, D. E. Avison, R. Winter, & P. Ein-Dor etal. (Eds.), ECIS (pp. 1561-1572). ECIS.

PriceWaterhouseCoopers. (2012). Changing the game - Key findings from the global state of information security® survey 2013. Retrieved December 19, 2012, from http:/www.pwc.com/

Tsiakis, T. (2010). Information security expendi­tures: A techno-economic analysis. International Journal of Computer Science and Network Secu­rity, 10(4), 7-11.

Tsiakis, T., Kargidis, T., & Chatzipoulidis, A. (2013). IT security governance in e-banking. In IT security governance innovations: Theory and research. Hershey, PA: IGI Global.

Tsiakis, T., & Pekos, G. (2008). Analysing and determining return on investment for information security. Paper presented at International Con­ference on Applied Economics (ICOAE 2008). Kastoria, Greece.

U.S. Department of Housing and Urban Devel­opment. (2002). Cost benefit analysis template. Retrieved December 19, 2012, from http://portal. hud.gov/

von Faber, E. (2009). Measuring information security: Guidelines to build metrics. In Proceed­ings of ISSE 2010 Securing Electronic Business Processes, (pp. 17-26). ISSE.

Weill, P., & Ross, J. (2004). Governance arrange­ments matrices by industry. Cambridge, MA: Harvard Business School Press.

Xie, N., & Mead, N. (2004). SQUARE project: Cost/benefit analysis framework for information security improvement projects in small companies (CMU/SEI-2004-TN-045). Retrieved January 3, 2013, from http://www.sei.cmu.edu/library/ abstracts/reports/04tn045.cfm

KEY TERMS AND DEFINITIONS

Business Case Analysis (BCA): Captures the reasoning for making an investment. The underly­ing logic is that the total sum of resources used should be in support of a specific business need that provides a higher value if realised. A business case analysis typically captures both quantifiable and unquantifiable characteristics of a proposed investment.

Business Impact Analysis (BIA): Systematic approach aimed at identifying and quantifying consequences of sudden loss of functions or sup­porting resources.

Cost Benefit Analysis (CBA): Systematic process for calculating and comparing benefits and costs of an investment by comparing the total expected cost of each alternative against the total expected benefits. It has at least one of two purposes: (a) assess if it is a sound investment in absolute terms or (b) provide a basis for compar­ing investments in relative terms.

Data Centre: A facility used to house IT equipment and related communications devices. The supply systems are typically designed in a redundant way to ensure power, cooling and environmental controls meet agreed service lev­els. Data centres range from small units built as secure rooms within existing buildings to mobile container modules and industrial scale facilities that requires several megawatts of power to be run.

Performance Metric: A measure of results based on activities taken. Performance metrics support different stakeholder needs depending on context, which means they can be financed based, aimed on the internal performance of the organisation or be comparative metrics against set criteria, e.g. customer satisfaction or drive continuous improvement.

This work was previously published in Approaches and Processes for Managing the Economics of Information Systems, edited by Theodosios Tsiakis, Theodoros Kargidis, and Panagiotis Katsaros, pages 157-180, copyright 2014 by Business Science Reference (an imprint of IGI Global).

APPENDIX

Sample Performance Metrics

The collection of performance metrics collected below covers well-known financial and non-financial examples used to justify investments. The security manager could look at which of these best suits the value and investment disciplines of the organisation and the nature of the information security initiative.

ROI (Return on Investment)

There are several variations of the ROI equation, given multiple interpretations and applications in dif­ferent industries. This lack of consistency in the definition of ROI complicates the comparison of ROI values of several projects unless they are calculated on the same basis.

ROI = ?ιoo%

costs

Definition of Terms:

Net Benefits: Benefits minus costs.

Costs: Initial and recurring (or on-going) costs.

Time Period: The standard ROI equation is usually calculated for the first year of the in­vestment. A one-year time period has become an industry standard since companies seek to recover their investment on the first year of operations of the project. This rule of thumb may not be applicable across organisations but it can give a first estimate of the benefits of a project.

Definition of Terms:

◦ NOPAT: Net operating profit after taxes.

◦ Invested Capital: Initial and recurring (or on-going) costs.

NPV (Net Present Value)

The NPV of a project or investment is defined as the sum of the present values of the annual cash flows minus the initial and subsequent investments. Future values are discounted according to the organisa­tion’s cost of capital and the risk inherent in the investment. NPV is one of the most robust financial evaluation tools to estimate the value of an investment.

Definition of Terms:

Initial Investment: This is the investment made at the beginning of the project. The value is usually negative, since most projects involve an initial cash outflow. The initial investment can include hardware, software licensing fees, and start-up costs.

Cash Flow: The net cash flow for each year of the project: Benefits minus Costs.

Rate of Return (r): The rate of return is calculated by looking at comparable investment alternatives having similar risks. The rate of return is often referred to as the discount, inter­est, hurdle rate, or company cost of capital. Companies frequently use a standard rate for the project, as they approximate the risk of the project to be on average the risk of the company as a whole.

Time (t): This is the number of years representing the lifetime of the project.

IRR (Internal Rate of Return)

IRR is defined as the discount rate that makes the project have a zero Net Present Value (NPV). IRR is an alternative method of evaluating investments without estimating the discount rate.

The IRR uses the NPV equation as its starting point, but calculating the IRR is done through a trial- and-error process that looks for the Discount Rate that yields an NPV equal to zero, typically accom­plished by using the IRR function in a spreadsheet program:

Definition of Terms:

Initial Investment: The investment at the beginning of the project.

Cash Flow: Measure of the actual cash generated by a company or the amount of cash earned after paying all expenses and taxes.

IRR: Internal Rate of Return.

N: Last year of the lifetime of the project.

FCF (Free Cash Flow)

FCF represents the cash that a company is able to generate after laying out the money required to main- tain/expand the company’s asset base. Creative accounting can cloud earnings, but it’s tougher to fake cash flow. For this reason, some investors believe that FCF gives a much clearer view of the ability to generate cash (and presumably profits).

There is a risk with focusing on short-sightedly earnings while ignoring the “real” cash that a firm generates. That is why free cash flow is important, because it allows a company to pursue opportunities that enhance shareholder value. Without cash, it’s tough to pursue new opportunities, make acquisitions, pay dividends, and reduce debt and so forth

It is important to note that negative free cash flow is not bad in itself. If free cash flow is negative, it could be a sign that a company is making large investments. If these investments earn a high return, the strategy has the potential to pay off in the long run.

DCF (Discounted Cash Flow)

DCF analysis uses future free cash flow projections and discounts them to arrive at a present value, which is used to evaluate the potential for investment. If the value arrived at through DCF analysis is lower than the current cost of the investment, the opportunity may be good.

Definition of Terms:

◦ CF: Cash flow: net cash flow for each year of the project: Benefits minus Costs

◦ r: Discounted rate (weighted average cost of capital)

Governance Effectiveness (Non-Financial)

This model shows the effectiveness of the investment defined in relative terms to its importance. The maximum score for the investment is 100 and the minimum score is 20, by using the formula below.

The approach is based on asking the senior management team - at least ten managers is recommended as sample population - to answer questions by giving them a score between 1 and 5. Then average the results and look at variation by business units and level of management to meet the stakeholder compo­sition for the investment decision.

Definition of terms:

Q1: How important are the following outcomes of your information security governance, on a scale from 1 (not important) to 5 (very important).

Cost-effective use of information security

Effective use of information security for asset utilisation

Effective use of information security for business flexibility Effective use of information security for growth

Q2: What is the anticipated influence of the proposed information security investment in your business on the following measures of success, on a scale from 1 (not successful) to 5 (very successful). Cost-effective use of information security

Effective use of information security for asset utilisation

Effective use of information security for business flexibility

Effective use of information security for growth

The principles for effective governance were originally defined by the Massachusetts Institute of Technology’s Sloan School of Management to measure the effectiveness in IT governance.

TCO (Total Cost of Ownership)

The goal of TCO is to determine a figure that reflects the total cost of the investment, including one-time purchases and recurring costs, not just the initial start-up cost. Because benefits are not considered in TCO, the overall financial analysis is simplified.

Definition of Terms:

Onetime Costs: These are the costs that are derived at one stage during the implementation or operation of a project. One-time costs could include personnel training, new processes being introduced that yield one-time cost, or investment in infrastructure assets.

Recurring Costs: These are costs that continue over time or repeat, for example continuous monitoring of performance.

Project Duration: This is the project lifespan or a standard duration that is used to normal­ize all the TCO calculations across an enterprise.

EVA (Economic Value Added)

In the field of corporate finance, working capital management is useful to improve a company’s financial performance metrics. Economic value added is a way to determine the value created, above the required return, for the shareholders of a company.

Definition of Terms:

ROSI (Return on Security Investment)

The risk mitigation effects show the benefit of a security investment: it is basically a “savings” in Value- at-Risk; it comes by reducing the risk associated with losing some financial value.

Financial performance measures do not consider security-specific data (such as threats, vulnerability, and risk) as a decision variable. As a vehicle, security managers - striving to find variables to judge the need for a particular investment - have developed different models in the field of cost benefit analyses for information security. The effects are the consideration of risk effects and the ability to integrate those in common accounting concepts.

The Return on Security Investments (ROSI) formula was developed by a team at the University of Idaho led by researcher HuaQiang Wei. They used what they found in the research area of information security investments and combined it with some of their own theories, assigning values to everything from tangible assets to intangible assets.

ROSI = R - (R - E) + T or ROSI = R - ALE

Definition of Terms:

ALE: What we expect to lose in a year (Annual Loss Expectancy)

R: The cost per year to recover from any number of incidents.

E: These are the financial annual savings gained by mitigating any number of incidents through the introduction of the security solution.

T: The annual cost of the security investment.

ALE-based methodologies are not applicable for every information security investment. This has made security professionals and researchers to develop alternative strategies as no single approach has yet proven to be suitable for all types of information security investments (Demetz and Bachlechner, 2012), (Xie and Mead, 2004).