Investments for Information Security: An Evaluation

631 Words2 Pages
Finance Effects on Security Return on security investments (ROSI) is becoming increasingly popular for measuring the cost-benefit aspect of information security investments, but has led to some confusion and misuse (Gordon, 2002). Information security breaches are a growing concern for businesses. Organizations are spending large sums to protect confidentiality, integrity, and availability of information. CFOs are demanding rational economic approaches to these expenditures. There are several myths concerning the ROSI measure. Some are saying the accounting return on investment ROI is appropriate for evaluating information security investments. In reality, the economic rate of return, or internal rate of return (IRR), is more appropriate. ROI is based on historical (ex post) accrual and nondiscounted cash flows. IRR is based on future (ex ante) risk adjusted discounted cash flow. In evaluating investments for information security, future risk adjusted discounted cash flow is a more appropriate measure. Some believe that maximizing IRR on information security investments is appropriate. This assumption is based on the higher the internal rate of return, the better the firm is doing. In reality, the net present value is more appropriate because it is actually the maximum net present benefits. For example, suppose an estimated security breach loss is $2 million the first year and $800,000 the second year. The amounts are derived by multiplying the dollar value associated
Open Document