Economic View on Assessing Cyber Security Investments

draft n.w
1 / 24
Embed
Share

Explore the economic perspective on evaluating cyber security investments, covering basic finance skills, decision-making frameworks, case studies, and the shift towards viewing cyber security as a critical business decision. Learn about NPV, VaR, and challenges in applying traditional economic models to cyber security decisions.

  • Cyber Security
  • Finance Skills
  • Investment Decisions
  • Economic View
  • Business Risk

Uploaded on | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript


  1. DRAFT ASSESSING CYBER SECURITY INVESTMENT OPTIONS: AN ECONOMIC VIEW Xian Sun Assistant Professor in Finance Carey Business School Johns Hopkins University 0

  2. MODULEOUTLINE Basic finance skills in decision making: Time value of money Net Present Value Free Cash Flows Decision making framework in cyber security investment projects: Benefits Costs Value-at-Risk model Case study: 2013 Target data breach Identify the costs of 2013 Target data breach and benefits of its cyber investment. DRAFT 1

  3. OVERVIEW Firms should undertake a project when and only when it creates value. The challenges in evaluating cyber securities projects are that their incremental values have uncertainties and therefore are hard to measure economically. This module is designed to introduce the basic finance skills and framework used in decision making, apply the framework to a real world case and discuss what a traditional financial framework can do for security spending decisions. DRAFT 2

  4. LEARNINGOBJECTIVES Introduce time value of money; Understand how to use NPV (net present value) rule to make investment decisions; Introduce the benefits and costs associated with cyber security investment decisions; Learn VaR (Value-at-risk) and its application in cyber security investment decision making; Apply the benefit-cost framework to a real world cyber event; Discuss the challenges in applying a traditional economic model in cyber security decisions. DRAFT 3

  5. SHIFTIN CYBERSECURITYINVESTMENT DECISIONSFROMTECHNICALRISKTOBUSINESS RISK More companies treat cyber security as critical business decisions. Currently, about 10% of U.S. CISOs (chief information security officers) report to CFOs (chief financial officers) instead of to CIOs (chief information officers) and the percentage is increasing (Source: WSJ). CFOs make cyber security decisions using the same approach they use across other risk domains. Their focus is on how cyber investments impact the bottom line by preventing losses due to risks, or increasing revenue , Steven Grossman, VP of Bay Dynamics. DRAFT 4

  6. BASIC FINANCE SKILLSIN DECISION MAKING_TIMEVALUEOFMONEY Time value of money Financial decisions often require combining cash flows or comparing values. We use interest rate to move money forward or backward in time. DRAFT 5

  7. THE 1ST RULEOF TIME TRAVEL A dollar today and a dollar in one year are not equivalent. DRAFT It is only possible to compare or combine values at the same point in time. Which would you prefer: A gift of $1,000 today or $1,210 at a later date? To answer this, you will have to compare the alternatives to decide which is worth more. One factor to consider: How long is later? 6

  8. THE 2ND RULEOF TIME TRAVEL To move a cash flow forward in time, you must compound it. DRAFT Suppose you have a choice between receiving $1,000 today or $1,210 in two years. You believe you can earn 10% on the $1,000 today, but want to know what the $1,000 will be worth in two years. FV = C * (1+r)n 7

  9. THE 3RD RULEOF TIME TRAVEL To move a cash flow backward in time, we must discount it. DRAFT Present Value of a Cash Flow C = + = n C (1 ) r (1 PV + n ) r 8

  10. BASIC FINANCE SKILLSIN DECISION MAKING_NETPRESENTVALUE Calculating the NPV of future cash flows allows us to evaluate an investment decision. Net Present Value compares the present value of cash inflows (benefits) to the present value of cash outflows (costs). DRAFT NPV = PV (all cash flows from the project) = PV (Benefits) PV (Costs) Only projects with positive NPV will be accepted. 9

  11. BASIC FINANCE SKILLSIN DECISION MAKING_NPV RULES When evaluating the cash flows related with a project, only the incremental earnings should matter. Incremental Earnings The amount by which the firm s earnings are expected to change as a result of the investment decision. DRAFT 10

  12. EXAMPLESOFINCREMENTALCASHFLOWS Opportunity Cost :The value a resource could have provided in its best alternative use. For example, if an equipment will be housed in an existing lab, the opportunity cost of not using the space in an alternative way (e.g., renting it out) must be considered. DRAFT Project Externalities : Indirect effects of the project that may affect the profits of other business activities of the firm. Cannibalization is when sales of a new product displaces sales of an existing product. 11

  13. EXAMPLESOFCASHFLOWS NOTINCLUDEDIN INVESTMENTDECISIONMAKING Sunk costs are costs that have been or will be paid regardless of the decision whether or not the investment is undertaken. Sunk costs should not be included in the incremental earnings analysis. DRAFT Fixed Overhead Expenses: Typically overhead costs are fixed and not incremental to the project and should not be included in the calculation of incremental earnings. 12

  14. BASIC FINANCE SKILLSIN DECISION MAKING_NPV ANDFREECASHFLOWS Therefore, what really matters in any investment decision is the amount of the incremental cash flows created by a project, or it is also referred to as free cash flow. DRAFT 13

  15. ILLUSTRATEFREECASHFLOWSINCYBER SECURITYSPENDING The free cash flow concept helps us value cyber security investment. For example, even if a cyber security project that requires initial investment but does not create cash inflows at all, the NPV analysis may still yield positive value if the cyber project reduces the existing cost of cyber breaches. The reduction in the existing cost create incremental value to the firm by releasing resources that would have been consumed without undertaking the cyber project. DRAFT 14

  16. UNDERSTANDINGTHE BENEFITSAND COSTSOFCYBERSECURITYPROJECTS Benefits: Direct: Reduced opportunity costs (positive incremental value): the investment in cyber security reduce the existing cost of cyber breaches. Stability of the operating system and avoid loss from system downtime. Indirect: Stronger partnership with suppliers. Attract more customers. Increase the value of the whole value chain. More sympathy from shareholders at the event of a cyber security attack. DRAFT 15

  17. UNDERSTANDINGTHE BENEFITSAND COSTSOFCYBERSECURITYPROJECTS Costs: Direct Costs: investment in systems, training employees and/or outsourcing Indirect costs in the event of cyber security concerns: Legal penalties; Loss of customers; Loss of partnerships/suppliers; Impair firm reputation and stock value slides; Spillover effects that impacts the future prospect of the whole industry. DRAFT 16

  18. INDIRECTCOSTS Note that both the indirect benefits costs may depend on the likelihood of a cyber security event, which may be inversely impacted by the amount directly invested in cyber security. Therefore, firms need to allocate resources between these two options: one requires to sacrifice resources now, and one requires later. The supplementary relationship between spending now or later may be magnified or moderated by broader factors, such as the industry vulnerability to cyber security events, the advances of information technology at industry level, the connectedness among the firms in the industry. DRAFT 17

  19. EVALUATINGCYBERSECURITY INVESTMENTBYVALUE-AT-RISKAPPROACH VaR (Value-at-risk) is a prevalent risk management framework in financial industries where firms simulate a distribution of returns on certain assets/investments and measure the left tail risk (negative returns). Because of the particular uncertain outcome of cyber security project, VaR helps us understand the incremental effect of cyber projects on firm s existing risk. Again, it is the incremental effect on the current risk management that matters. That is, does cyber project improve the left tail risk and by how much. DRAFT 18

  20. VAR VaR analysis would provide a good idea of the estimated economic losses given the occurrence and therefore suggest the cushion needed to cover the estimated losses or certain amount of the unexpected losses. More and more U.S. CFOs who undertake the role of supervising cyber security investment decisions have started adopting VaR approach in estimating the occurrence of such negative events and the dollar amount at stake upon the occurrence. DRAFT 19

  21. LIMITATIONSOF VAR METHOD The estimation of the distribution of possible losses is data driven. It would be difficult to generate a meaningful VaR analysis with sparse data availability. The distribution estimated using historical data may not be a good indicator for future possible losses. Both concerns may magnify when applying to cyber security events. DRAFT 20

  22. APPLYTHEBENEFIT-COSTFRAMEWORKTO AREALWORLDCYBEREVENT Target 2013 Data Breach In 2013, Target Corporation s (Target) security and payment system was breached, compromising 40 million credit and debit card numbers, along with 70 million addresses, phone numbers and other personal information. Read the provided Target packages about the articles of Target data breach and summarize the costs of the 2013 data breach and all the benefits of Target s reaction to make new investment in cyber security. DRAFT 21

  23. SUGGESTEDSUMMARYOFBENEFITSAND COSTS Available to students after class discussion DRAFT 22

  24. DRAFT DISCUSSTHECHALLENGESINAPPLYINGA TRADITIONALECONOMICMODELINCYBER SECURITYDECISIONS. 23

Related


More Related Content