Economic View on Assessing Cyber Security Investments

draft n.w
1 / 24
Embed
Share

Explore the economic perspective on evaluating cyber security investments, covering basic finance skills, decision-making frameworks, case studies, and the shift towards viewing cyber security as a critical business decision. Learn about NPV, VaR, and challenges in applying traditional economic models to cyber security decisions.

  • Cyber Security
  • Finance Skills
  • Investment Decisions
  • Economic View
  • Business Risk
rayaanacharya
crum_y Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. DRAFT ASSESSING CYBER SECURITY INVESTMENT OPTIONS: AN ECONOMIC VIEW Xian Sun Assistant Professor in Finance Carey Business School Johns Hopkins University 0

  2. MODULEOUTLINE Basic finance skills in decision making: Time value of money Net Present Value Free Cash Flows Decision making framework in cyber security investment projects: Benefits Costs Value-at-Risk model Case study: 2013 Target data breach Identify the costs of 2013 Target data breach and benefits of its cyber investment. DRAFT 1

  3. OVERVIEW Firms should undertake a project when and only when it creates value. The challenges in evaluating cyber securities projects are that their incremental values have uncertainties and therefore are hard to measure economically. This module is designed to introduce the basic finance skills and framework used in decision making, apply the framework to a real world case and discuss what a traditional financial framework can do for security spending decisions. DRAFT 2

  4. LEARNINGOBJECTIVES Introduce time value of money; Understand how to use NPV (net present value) rule to make investment decisions; Introduce the benefits and costs associated with cyber security investment decisions; Learn VaR (Value-at-risk) and its application in cyber security investment decision making; Apply the benefit-cost framework to a real world cyber event; Discuss the challenges in applying a traditional economic model in cyber security decisions. DRAFT 3

  5. SHIFTIN CYBERSECURITYINVESTMENT DECISIONSFROMTECHNICALRISKTOBUSINESS RISK More companies treat cyber security as critical business decisions. Currently, about 10% of U.S. CISOs (chief information security officers) report to CFOs (chief financial officers) instead of to CIOs (chief information officers) and the percentage is increasing (Source: WSJ). CFOs make cyber security decisions using the same approach they use across other risk domains. Their focus is on how cyber investments impact the bottom line by preventing losses due to risks, or increasing revenue , Steven Grossman, VP of Bay Dynamics. DRAFT 4

  6. BASIC FINANCE SKILLSIN DECISION MAKING_TIMEVALUEOFMONEY Time value of money Financial decisions often require combining cash flows or comparing values. We use interest rate to move money forward or backward in time. DRAFT 5

  7. THE 1ST RULEOF TIME TRAVEL A dollar today and a dollar in one year are not equivalent. DRAFT It is only possible to compare or combine values at the same point in time. Which would you prefer: A gift of $1,000 today or $1,210 at a later date? To answer this, you will have to compare the alternatives to decide which is worth more. One factor to consider: How long is later? 6

  8. THE 2ND RULEOF TIME TRAVEL To move a cash flow forward in time, you must compound it. DRAFT Suppose you have a choice between receiving $1,000 today or $1,210 in two years. You believe you can earn 10% on the $1,000 today, but want to know what the $1,000 will be worth in two years. FV = C * (1+r)n 7

  9. THE 3RD RULEOF TIME TRAVEL To move a cash flow backward in time, we must discount it. DRAFT Present Value of a Cash Flow C = + = n C (1 ) r (1 PV + n ) r 8

  10. BASIC FINANCE SKILLSIN DECISION MAKING_NETPRESENTVALUE Calculating the NPV of future cash flows allows us to evaluate an investment decision. Net Present Value compares the present value of cash inflows (benefits) to the present value of cash outflows (costs). DRAFT NPV = PV (all cash flows from the project) = PV (Benefits) PV (Costs) Only projects with positive NPV will be accepted. 9

  11. BASIC FINANCE SKILLSIN DECISION MAKING_NPV RULES When evaluating the cash flows related with a project, only the incremental earnings should matter. Incremental Earnings The amount by which the firm s earnings are expected to change as a result of the investment decision. DRAFT 10

  12. EXAMPLESOFINCREMENTALCASHFLOWS Opportunity Cost :The value a resource could have provided in its best alternative use. For example, if an equipment will be housed in an existing lab, the opportunity cost of not using the space in an alternative way (e.g., renting it out) must be considered. DRAFT Project Externalities : Indirect effects of the project that may affect the profits of other business activities of the firm. Cannibalization is when sales of a new product displaces sales of an existing product. 11

  13. EXAMPLESOFCASHFLOWS NOTINCLUDEDIN INVESTMENTDECISIONMAKING Sunk costs are costs that have been or will be paid regardless of the decision whether or not the investment is undertaken. Sunk costs should not be included in the incremental earnings analysis. DRAFT Fixed Overhead Expenses: Typically overhead costs are fixed and not incremental to the project and should not be included in the calculation of incremental earnings. 12

  14. BASIC FINANCE SKILLSIN DECISION MAKING_NPV ANDFREECASHFLOWS Therefore, what really matters in any investment decision is the amount of the incremental cash flows created by a project, or it is also referred to as free cash flow. DRAFT 13

  15. ILLUSTRATEFREECASHFLOWSINCYBER SECURITYSPENDING The free cash flow concept helps us value cyber security investment. For example, even if a cyber security project that requires initial investment but does not create cash inflows at all, the NPV analysis may still yield positive value if the cyber project reduces the existing cost of cyber breaches. The reduction in the existing cost create incremental value to the firm by releasing resources that would have been consumed without undertaking the cyber project. DRAFT 14

  16. UNDERSTANDINGTHE BENEFITSAND COSTSOFCYBERSECURITYPROJECTS Benefits: Direct: Reduced opportunity costs (positive incremental value): the investment in cyber security reduce the existing cost of cyber breaches. Stability of the operating system and avoid loss from system downtime. Indirect: Stronger partnership with suppliers. Attract more customers. Increase the value of the whole value chain. More sympathy from shareholders at the event of a cyber security attack. DRAFT 15

  17. UNDERSTANDINGTHE BENEFITSAND COSTSOFCYBERSECURITYPROJECTS Costs: Direct Costs: investment in systems, training employees and/or outsourcing Indirect costs in the event of cyber security concerns: Legal penalties; Loss of customers; Loss of partnerships/suppliers; Impair firm reputation and stock value slides; Spillover effects that impacts the future prospect of the whole industry. DRAFT 16

  18. INDIRECTCOSTS Note that both the indirect benefits costs may depend on the likelihood of a cyber security event, which may be inversely impacted by the amount directly invested in cyber security. Therefore, firms need to allocate resources between these two options: one requires to sacrifice resources now, and one requires later. The supplementary relationship between spending now or later may be magnified or moderated by broader factors, such as the industry vulnerability to cyber security events, the advances of information technology at industry level, the connectedness among the firms in the industry. DRAFT 17

  19. EVALUATINGCYBERSECURITY INVESTMENTBYVALUE-AT-RISKAPPROACH VaR (Value-at-risk) is a prevalent risk management framework in financial industries where firms simulate a distribution of returns on certain assets/investments and measure the left tail risk (negative returns). Because of the particular uncertain outcome of cyber security project, VaR helps us understand the incremental effect of cyber projects on firm s existing risk. Again, it is the incremental effect on the current risk management that matters. That is, does cyber project improve the left tail risk and by how much. DRAFT 18

  20. VAR VaR analysis would provide a good idea of the estimated economic losses given the occurrence and therefore suggest the cushion needed to cover the estimated losses or certain amount of the unexpected losses. More and more U.S. CFOs who undertake the role of supervising cyber security investment decisions have started adopting VaR approach in estimating the occurrence of such negative events and the dollar amount at stake upon the occurrence. DRAFT 19

  21. LIMITATIONSOF VAR METHOD The estimation of the distribution of possible losses is data driven. It would be difficult to generate a meaningful VaR analysis with sparse data availability. The distribution estimated using historical data may not be a good indicator for future possible losses. Both concerns may magnify when applying to cyber security events. DRAFT 20

  22. APPLYTHEBENEFIT-COSTFRAMEWORKTO AREALWORLDCYBEREVENT Target 2013 Data Breach In 2013, Target Corporation s (Target) security and payment system was breached, compromising 40 million credit and debit card numbers, along with 70 million addresses, phone numbers and other personal information. Read the provided Target packages about the articles of Target data breach and summarize the costs of the 2013 data breach and all the benefits of Target s reaction to make new investment in cyber security. DRAFT 21

  23. SUGGESTEDSUMMARYOFBENEFITSAND COSTS Available to students after class discussion DRAFT 22

  24. DRAFT DISCUSSTHECHALLENGESINAPPLYINGA TRADITIONALECONOMICMODELINCYBER SECURITYDECISIONS. 23

Related


Industrial Cybersecurity Market Worth $49.53 Billion by 2030

Industrial Cybersecurity Market Worth $49.53 Billion by 2030

RAJUL
University of Glasgow Finance Department Organizational Structure

University of Glasgow Finance Department Organizational Structure

alaric
Infrastructure Financing Options and Principles

Infrastructure Financing Options and Principles

nash
Cybersecurity Career Path Overview

Cybersecurity Career Path Overview

rusty
Legal Infrastructure for Asset Finance in Civil Law Jurisdictions

Legal Infrastructure for Asset Finance in Civil Law Jurisdictions

viraj
Comprehensive Airport Cybersecurity Quick Guide and Assessment Tool

Comprehensive Airport Cybersecurity Quick Guide and Assessment Tool

emmitt
Behavioral Finance in

Behavioral Finance in "Finance for Normal People

vlad
Ensuring Business Security: Cybersecurity Webinar Insights

Ensuring Business Security: Cybersecurity Webinar Insights

amelia
Cybersecurity and Personal Finance: A Tale of Appily Ever After

Cybersecurity and Personal Finance: A Tale of Appily Ever After

elspeth
Green Finance: Understanding Financial Solutions for Sustainable Projects

Green Finance: Understanding Financial Solutions for Sustainable Projects

highfield_v
Workshop on Cybersecurity Professionalism & Ethics

Workshop on Cybersecurity Professionalism & Ethics

acke_ddy
Cybersecurity Workforce Management: Engage, Empower, Elevate

Cybersecurity Workforce Management: Engage, Empower, Elevate

dena835
Cybersecurity and Computer Science Education Projects at UH Maui College

Cybersecurity and Computer Science Education Projects at UH Maui College

karm_14
Jack and the Giant Digital Footprint - Cybersecurity and Personal Finance

Jack and the Giant Digital Footprint - Cybersecurity and Personal Finance

kati_32
Shovel-Ready Projects Initiative for Cybersecurity Innovation in Canada

Shovel-Ready Projects Initiative for Cybersecurity Innovation in Canada

aberm
Enhancing Cybersecurity for Improved Insurability and Risk Management

Enhancing Cybersecurity for Improved Insurability and Risk Management

trac_745
Interactive Presentation Slides Showcase

Interactive Presentation Slides Showcase

touchstone_a
Ethics in Cybersecurity: Evolution, Challenges, and Solutions

Ethics in Cybersecurity: Evolution, Challenges, and Solutions

kdett
IRIS H2020 Project - Enhancing Cybersecurity for SMART CITIES

IRIS H2020 Project - Enhancing Cybersecurity for SMART CITIES

airt550
Defense Industrial Base (DIB) Cybersecurity Training Overview

Defense Industrial Base (DIB) Cybersecurity Training Overview

xayl_3
Cybersecurity Strategy in Japan - Roles of NISC and Basic Act Overview

Cybersecurity Strategy in Japan - Roles of NISC and Basic Act Overview

athie
CYBEX - Cybersecurity Information Exchange Techniques

CYBEX - Cybersecurity Information Exchange Techniques

mkas

More Related Content