Computer Crime Research Center

Economics of Cybercrime

Date: April 30, 2004
Source: Computer Crime Research Center
By: Lawrence Gordon, Robert Richardson

We asked Lawrence A. Gordon, a renowned economics professor, and Robert Richardson, editorial director at our sister organization Computer Security Institute and a former systems developer and WAN manager, to explore the subject of information security from an economics angle. The goal: To help information security managers build their business credibility by demonstrating how the rules and measurements of financial economics affect infosec budgets and investments.

As any victim of a significant information security attack will tell you, there's a financial dimension to cybercrime. And those companies intent on not being victimized must pay a hefty price, too: Security measures are costly, and so are the salaries of the IT professionals who manage them.

Unfortunately, relatively little attention has been paid to economics, and to the applied financial practices that grow out of economics, when it comes to information security. In 2003, the annual CSI/FBI Computer Crime and Security Survey reported average losses per respondent of about $800,000. In fact, the real headline should be that even those loss totals don't do justice to the magnitude of information security crime and related costs. (See "The True Cost of Cybercrime" for economist Martin P. Loeb's reckoning of indirect costs and their impact.)

Infosec managers trying to justify budget requests sometimes prop themselves up on a discussion of ROI (return on investment), but with mixed results. After all, what's the return on a firewall investment? And they don't use capital budgeting calculations, such as NPV (net present value) and IRR (internal rate of return), to defend investments in information security infrastructure. However, CFOs use these calculations regularly and expect department heads to refer to them when competing for funds, so it behooves security pros to join their peers in other departments who already talk the talk.

Learning the Lingo

"I go to security conferences where we all sit around puzzling about what kind of metrics to use for measuring the results of security programs," says Adam Stone, an analyst who specializes in security management for the financial services industry. "The metrics we have right now--the ones we use for assessing vulnerability and measuring the effectiveness of our investments--are all based on subjective judgments. They're fundamentally flawed. But there are financial, statistical, economics and securities professionals who deal with these kinds of uncertainties all the time, with methods that allow them to predict and measure business effectiveness in a rational way. We can learn from them."

The situation reflects the relative immaturity of the infosec industry, Stone adds. "People in information security are often technicians--gearheads," he says. "Very few of us have come up through the ranks of accounting or financial management, so we don't think in those terms."

Of course, it's not entirely true that security professionals never think in the same terms as financial officers. The information security manager at a Fortune 100 corporation, for instance, has implemented a program to measure rates of return on the company's IPS (intrusion-prevention system), including a checklist of costs incurred to address problems flagged by the system.

Oracle took a similar approach when it wanted to replace a data center IPS. "We did an analysis of how many alerts we got, how many people it took to run those alerts down and how many of those [alerts] were false positives," says Mary Ann Davidson, chief security officer at Oracle. "For the IDS we had in place, we got something like 80,000 alerts a week, and the false-positive rate was 60 percent to 70 percent. We looked at that versus the system we were piloting, where we found we had far fewer alerts and the ones we got were higher quality. So we said, how many people would we have to hire to make sense of the system we had? It turned out to cost a lot less to replace the system right away."

"Economics--not technology--determines what security technologies get used," says Bruce Schneier, security expert and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Copernicus Books, 2003). "These days, I feel like I do more economics than computer security."

But when it comes to recognizing the benefits of mixing firewalls with financial forecasts, the economists have taken the lead. In the past few years, there's been a growing stream of work by financial economists who apply capital budgeting and investment theory to business information security investments. It's a tantalizing subject for academics because of the paradox at the core: The more successful your security investments, the less visible and less measurable your results.

ROI (or bang for the buck) can't be applied perfectly to information security because often the return on information security purchases and deployments is intangible. Sure, companies invest in some solutions that offer benefits beyond security--faster network throughput in a new router that supports VPNs, for example--and they can calculate the ROI of these indirect benefits. But security requires factoring in the expectation of loss. Statistically, some losses are expensive but unlikely to occur in any given year, for instance, so the expectation of loss over a period of years has to include years in which there is no loss.

Furthermore, the accounting-based notion of ROI doesn't take into account that great chestnut of economic theory, the "time value" of money. Money that one has in hand and can invest now is worth more than money to be received later, due to the loss resulting from the chance to invest that money during the waiting period. In terms of savings expected by not suffering cybercrime losses, the longer the wait before saving that money, the less that money is worth. Indeed, to make good decisions about those future savings now, those savings must be discounted based on the time it takes to realize them.

It's a two-way street, too. Costs incurred when implementing a security measure have a lower present value if they can be held off until a future time. That's because that money can be invested in other ways now.

Which brings us to NPV. To consider an investment's real worth over time, the discounted totals of all the expected savings are subtracted from the costs associated with the investment over time (also discounted). What's left is the NPV. The fundamental insight of NPV is that the later the costs savings from not suffering cybercrimes, the less the cost savings add up to. At the same time, the sooner the investment in cybersecurity, the more it costs.

Real-World Numbers

There's nothing hypothetical about the applicability of these metrics to security budgeting. In fact, a growing number of IT professionals are starting to use NPV to quantify the benefits of their security expenditures, according to a forthcoming study of information security managers by Gordon and Loeb. About one-third of the respondents say NPV and other economic metrics are becoming important factors in weighing the costs and benefits of security investments. Anecdotally, too, we see many CFOs starting to require such analyses from infosec managers just as they do from other department heads.

Finding the NPV of a particular security investment--a firewall, for example--starts with estimating the useful life of the purchase. Then calculate all related costs and benefits, including the initial capital outlay. Finally, discount future costs and benefits according to the time frame in which they occur.

Say a company needs additional security and figures the cost savings (benefits) to be derived from the extra security will be the same for different security options--different firewall configurations, for instance. In this case, it makes sense to choose the configuration that costs the least. However, in comparing costs of the various options, it's the present value of the costs that should be the key concern. Consider two options, each with a total cost of $400,000, in absolute terms over two years. Option A would cost $300,000 at the end of the first year (due to a large capital outlay the first year) and $100,000 at the end of the second year. Option B, on the other hand, would cost $200,000 at the end of each of the two years. Obviously, Option A is more costly when accounting for the time value of money, so Option B is preferable. Now, assuming a 10 percent discount rate, Option A would cost $355,372 and Option B would cost $347,107. And if the present value of the benefits happened to be $350,000, Option B is the only option that would be justified on economic grounds, because it would have a positive NPV of $2,893, whereas Option A would have a $5,372 negative NPV.

This clearly demonstrates the benefit of considering the time value of money when evaluating information security alternatives--simply comparing the absolute dollars of benefits with costs won't suffice. In fact, it's possible for an investment to look worse under an NPV model than under a simple accounting-based ROI computation. Of course, the reverse may also be true, especially for projects that provide more than one year of benefits.

In short, NPV compares apples with apples over the entire life of an investment, whereas ROI and similar concepts are based on an accrual system of accounting and are short-term in focus. There are other ways around potential ROI limitations. One way is to think in terms of IRR, which is a time-adjusted rate of return. However, maximizing a company's IRR isn't consistent...
Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2009-07-13 03:30:45 - marjan
2004-05-14 17:56:55 - I do agree the writer but one thing one... Naboro Harriet
2004-05-03 15:12:12 - I have found the article very interesting... Anthony C. Wright
Total 3 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo