Economic and financial analysis of investments in information security

Zvonko apko
1
, Saa Aksentijevi
2
, Edvard Tijan
3

1
University of Rijeka, Faculty of Economics
Ivana Filipovia 4, Rijeka, Croatia
Tel: +385 51 35 51 52 Fax: +385 212 268 E-mail: zvonko.capko@efri.hr
2
Aksentijevi Forensics and Consulting, Ltd.
Gornji Sroki 125a, Vikovo, Croatia
Tel: +385 51 65 17 00 Fax: +385 51 65 17 81 E-mail: axy@vip.hr
3
University of Rijeka, Faculty of Maritime Studies
Studentska 2, 51000 Rijeka, Croatia
Tel: +385 51 33 84 11 Fax: +385 51 33 67 55 E-mail: etijan@pfri.hr


Abstract - The paper analyzes information security
investments from both economic and financial points of
view. Authors research special characteristics of
information security investments and the difficulties
which appear during the determination of input
parameters of the economic analysis. Challenges in
application of internal rate of return method are also
analyzed. The constructed model of cash flow analysis
of information security solution investments shows the
feasibility of calculating the net present value, internal
rate of return and the return on capital when using
such an approach.


I. INTRODUCTION
Within the usual paradigm of business financing, the
investment value of assets (which are owned or controlled
by an enterprise and which produce certain revenue) is
evaluated against the related costs (for example,
maintenance, or procurement of raw materials). Assets are
usually divided into material assets (machinery, buildings),
non-material assets (patents, software, goodwill) and a
special form of assets capable of intrinsic reproduction,
called financial assets.

One of the tools most often used by financial managers is
determining whether the Net Present Value of assets is
positive by using the marginal capital cost, relevant for a
certain type of business or certain type of entrepreneurial
undertaking.

Information Security Management Systems, or ISMS,
(technically speaking) consist of the following four
components, organized in a hierarchical manner:
1. Organizational forms ensuring the compliance
with legal regulations

2. Organizational information policy, or the
knowledge of users and management regarding
the functioning and managing of ISMS's,
resulting in adequate application of risk removal
techniques by using hardware, software and
orgware, often formalized by security certification
(e.g. ISO 27001:2005),
3. Computer hardware (servers, switches,
computers, network devices, routers),

4. Computer software and applications.

The relation between the above mentioned components is
shown in Figure 1.

Figure 1. Interaction between different solutions used to
achieve the goals of information security


source: authors


All of the above mentioned components are related to a
certain level of cost, where there is a high level of solution
substitutiveness, meaning the treatment of capital
investment or operative cost. Almost all modern ICT
solutions, especially in complex corporate environments,
can be obtained in a form which can be considered either
as an investment or as operative cost [1]. For example,
instead of purchasing computer applications, they could be
rented or leased as a SaaS (Software as a Service) model.
Instead of purchasing computer hardware, it could be
rented or leased as a Cloud. Several issues can be
identified while tackling difficult choice of investing in
own information security assets in comparison to leasing
the solution:
MIPRO 2014/DE-GLGPS 1767
1. On a technical level, such divergence of possible
solutions could create problems in terms of constant
demands for additional education, arising from
quickly changing technologies.

2. On an economic level, the total investment cost can
further be obscured.

3. On an operative level, a whole set of additional costs
exist, related to the setup and functioning of ISMS
(application costs, ICT infrastructure etc.).
Furthermore, other costs related to information security
can occur in enterprises, addressing the technical
disciplines, such as the cost of training the personnel which
implement information security technologies, the cost of
training the employees for using the new technologies, etc.
In terms of capital investments, the basic investment forms
are related to security hardware, software, security
telecommunication solutions, investments in ICT
infrastructure, security studies and organizational blueprint
implementations (among them also the applications of best
practice models of ICT security).
The scope of this paper is only evaluation of the specific
characteristics of the investment in ISMS, when such an
investment is a part of enterprises capital budgeting
activity.

II. DIFFICULTIES IN DETERMINING THE
INPUT PARAMETERS OF ECONOMIC
ANALYSIS

When moving away from technical, technological and
organizational aspects of ISMS and when approaching the
investment aspect of such systems, a number of difficulties
can arise when trying to determine the input parameters of
financial analysis [2]. Some of the difficulties can be
identified as follows:

1. The decisions about ISMS investments depend
upon the risk assessment as a professional/specialist
activity [3]. Practical risk assessment of information
security is generally void of quantitative financial
indicators, and is usually based on experiential
assessment of the probability of unwanted
occurrences and their impact on business [4],
without quantifying possible damages. Risk
assessment is an abstract technical assessment,
providing the indicators which guide information
security experts towards the fields which should be
taken into special consideration in order to achieve
the set business goals of information security [5].
Paradoxically, because of the lack of the detailed
financial analysis (apart from the basic cost
analysis), the management that deals with
investments (without possessing the specific
technical knowledge) often shows aversion towards
the ISMS investments and implicitly takes
unreasonably high levels of risks. [6] The reverse
scenario is also possible, overinvesting in ISMS.
This specific situation results from the traditional
separation of information security, control and risk
management processes from the corporate ICT
management, which is generally more oriented
towards the system efficiency assessment and
towards ensuring the adequate return on
investments [7].
2. The high level of substitutability of ISMS
investments with the costs that can be considered as
operative costs often complicates investment
decisions. [8] Generally, such "alternative"
solutions may seem acceptable, but superficial
analysis often do not include numerous hidden
costs, such as customer education costs, technical
personnel training costs (the people which will
work on solution implementation and maintenance
[9]), etc.

3. Software, hardware and telecommunication
solutions obtained as long-term investments by the
enterprise usually imply the necessity of
maintenance contracting [10]. Such contracts offer
customer support through the lifetime of the
purchased information security solution, but even
more often it is impossible to use the solution
without signing such contracts. In case that such
contract has not been signed, certain hardware or
software product may not be able to function
properly (for example lack of security patches or
similar problems which may occur during work).
Regarding antivirus/antispam solutions or network
devices with security characteristics, it would be
impossible to receive instant definitions of certain
attacks or related security profiles and definitions.
Furthermore, it would be difficult to integrate a
certain solution into ISMS, because its settings
might not allow the integration or application to
increased number of users or workplaces [11]. For
that reason, when performing the initial input
parameter analysis it is necessary to discern which
part of the initial costs represents investments, and
which part represents yearly maintenance. This
should be done in order to correctly determine the
total cost of implementation and exploitation of a
certain ISMS.

4. It is difficult to correctly predict the real residual
value of certain information security investments
[12]. Some such solutions have a long lifespan (for
example telecommunications and network
solutions) and could be used even after being fully
depreciated. The functionality of some systems
might depend on the regular payments to the
supplier, who is able to continuously upgrade and
modernize a certain solution (which is especially
applicable to software security solutions).

5. Small and medium enterprises often lack the
specific knowledge necessary to adequately assess
the influence of information security investments on
enterprise performance [13].
1768 MIPRO 2014/DE-GLGPS
III. CHARACTERISTICS OF INFORMATION
SECURITY INVESTMENTS' ECONOMIC
ANALYSIS
When analyzing the economic flow of ISMS solution, the
structure of the source of financing is ignored (own assets
or loan/financial lever) because the loan interest does not
reduce the solution's economic potential, but enterprise's
economic potential as a whole [14].
The classic investment economic flow analysis (or in this
case the investment into information security
infrastructure) calls for the initial assessment of effects
reduced to market prices from the first year of the project
duration [15]. Those items which reduce the economic
potential of the project or solution are considered expenses.
In this context, the expenses may be:

- Initial investments in information security
solution or project
- Cost of project or solution maintenance
- Material expenses for using the solution
(electricity, utilities)
- External services related to the solution
(consulting)
- Training costs for solution implementation
(permanent employees)
- Training costs for solution usage (permanent
employees)
- Gross salary for employees in charge of solution
implementation (reduced to full time equivalents)
When using the economic cash flow analysis of the
information security solution, the problem of determining
the income against determining the expenses can arise.
Positive cash flow of such investments usually consists of
the overall income during the solution lifetime and the
estimated residual value at the end of the lifetime. [16]
Such incomes can be properly defined only in enterprises
who mainly provide security solutions to others, or who
provide services to others and undertake the investment
activity themselves.
All other enterprises do not derive income from
information security solutions, but negative cash flow
instances in cash flow analysis could be directly compared
with the potential damage caused to the enterprise in case
of occurrence of some security lapse during the usage of
the security solution.

From the static point of view of such a model of modified
economic flow, initially justified security investment
would be the one in which the total, cumulative benefits
(or the avoided cost of security problems increased by the
residual value) is larger than the cost of security solution
implementation [17]. Such situation is shown in Table 1.






Table 1: The analysis of modified economic flow of
information security investments
structure/per
iod
1 2 3 ..
.
1. AVOIDED
EXPENSES
... ..
.
..
.
..
.
2. RESIDUAL
VALUE
- - - ..
.
3. EXPENSES 2.1+2.2+2.3+2.4+2.5+2.
6+2.7
..
.
..
.
..
.
3.
1
Security
solution
investment
... ..
.
..
.
..
.
3.
2
Maintenance
costs
... ..
.
..
.
..
.
3.
3
Material
costs
... ..
.
..
.
..
.
3.
4
External
costs
... ..
.
..
.
..
.
3.
5
Training
costs for
solution
implementati
on
... ..
.
..
.
..
.
3.
6
Training
costs for
solution
usage
... ..
.
3.
7
Gross salary ... ..
.
..
.
..
.
4. NET
EFFECT
1.+2.-3.
Source: authors


IV. CHARACTERISTICS OF INFORMATION
SECURITY INVESTMENTS' FINANCIAL
ANALYSIS

Similar to the economic flow method, unmodified financial
flow method [18] could also be applied to information
security solution investments only if the enterprise holds
such solutions as assets and leases them to other
enterprises. Unlike the economic flow method, financial
flow method also takes into account sources of financing
[19] represented by cash inflow and obligations towards
sources of financing (outgoing interest), shown in table 2.












MIPRO 2014/DE-GLGPS 1769
Table 2: Modified financial flow method when investing in
information security
structure/per
iod
1 2 3 ..
.
1. AVOIDED
EXPENSES
... ..
.
..
.
..
.
2. RESIDUAL
VALUE
- - - ..
.
3. FINANCIN
G
SOURCES
3.1+3.2 ..
.
..
.
..
.
3.
1
Own sources ... ..
.
..
.
..
.
3.
2
Loans ... ..
.
..
.
..
.
4. Expenses 2.1+2.2+2.3+2.4+2.5+2.
6+2.7
..
.
..
.
..
.
4.
1
Security
solution
investment
... ..
.
..
.
..
.
4.
2
Maintenance
costs
... ..
.
..
.
..
.
4.
3
Material
costs
... ..
.
..
.
..
.
4.
4
External
costs
... ..
.
..
.
..
.
4.
5
Training
costs for
solution
implementati
on
... ..
.
..
.
..
.
4.
6
Training
costs for
solution
usage
... ..
.
4.
7
Gross salary ... ..
.
..
.
..
.
4.
8
Installment
(annuity)
... ..
.
..
.
..
.
5. NET
EFFECT
1.+2.+3.-4.

Source: authors

The problem which appears when using the financial flow
method is similar to the economic flow method
determining avoided costs. In the dynamic analysis,
classical dynamic methods [20] could be used, as follows:

1. Return on investment rate representing the
simplest criterion of financial decisions regarding real
investments. The method calculates the number of
years necessary for the project (in this context,
information security asset or system) to return the
invested funds. In case that methodology calls for
elimination of lack of incorporation of time value of
money, discounted cash flow method will be used
[21].

2. Discounted period of return method the variant of
the above method in which time value of money is
incorporated in calculation.


3. Net present value method of investment in
information security, represents the sum of present
values of resultant cash flows related to the same
information security solution.

4. Internal rate of information security investment
return representing the internal rate of return (RoR)
reducing the pure cash flows of using the information
security solution to the value of their investment flows
[22].


5. Profitability index could be used as an added
criterion of investment decisions. It represents the
ratio of discounted pure cash flows of information
security solution during its lifetime and the investment
costs.


V. CHALLENGES IN APPLICATION OF
INTERNAL RATE OF RETURN (RoR) METHOD

The classic analysis of the internal rate of return demands
that the rate of return (leveling the investment with the
pure cash flows) should be larger than the reference
discount rate which is dependent on the risk level and the
capital cost. [23]. Common problem with the multiple
internal rates of return is usually not present in information
security investments. According to the premise that the
information security risks are present throughout the period
of usage of the information security solution, and that the
distribution of cash flows is identical (there is no change in
cash flows, and last cash flow is not negative), the classic
method of internal rate of return could be used.

However, when using the internal rate of return
method in the analysis of information security investments,
several facts should be taken into consideration [24]:

- This method could not be used when analyzing or
comparing investments into multiple information
security solutions, only when analyzing single
investments due to the fact that the obtained
results are not comparable
- The internal rate of return implies reinvesting the
positive cash flow in projects or solutions that
have the similar rate of return, whether it is the
case of reinvesting in similar solutions or other
comparable solutions. For that reason, the internal
rate of return method will be used in evaluating
those projects in which the reinvested cash flow is
directed into projects with lesser rate of return
[25]. This is especially true for security solutions
or projects with high rates of return, because
enterprises have difficulties in finding comparable
reinvestment projects with equally attractive rates
of return.
1770 MIPRO 2014/DE-GLGPS
- As a rule, cash flows do not change from positive
to negative and vice versa, and the last cash flow
is never negative. Therefore, the problem of
multiple internal rates of return should not exist.
- The internal rate of return method will only
provide a relative calculation of return for a given
security project or solution, not absolute.

The starting assumptions for the set model are as
follows:

1. The initial investment in information security
solution has been executed,
2. No opportunity costs exist,
3. Minimal residual value of the information
security solution exists at the end of the solution
lifetime,
4. The proportional depreciation method is being
used,
5. Generated cash flow is estimated as the
consequence of avoiding the occurrence of
security incidents and connected direct and costs,
6. There is no tax credit,
7. Other investments related to introduction,
implementation and usage of information security
solution are treated as having fixed value and they
are not depreciated during life time of
exploitation,
8. It is estimated that variable cost exists during the
lifetime of the security solution, expressed in
relative terms compared to income,
9. The income tax is set as fixed during the
observed period,
10. It is assumed that the working capital during the
lifetime of the solution is annulled or fully
depreciated (amounts to zero),
11. The discount rate is used as a direct discount rate.
It is possible to calculate the discount rate within
the model as it is calculated in the Capital Asset
Pricing Model. [26] When doing so, risk free
return rate, premium based on assumed market
risk, cost of borrowing the capital and debt
leverage have to be taken into account,
12. It is assumed within the model that the benefits
from implementing the information security
solution do not change through the years, in other
words the benefits are proportionally distributed,
13. Fixed costs of solution maintenance during its
lifetime do not increase; they are contained in the
initial investment.

In this paper we will outline a possible practical
application of the cash flow analysis in information
security solution.
Input parameters of the proposed model consist of initial
investment, represented by the value of investment in ICT
security solution, opportunity cost of the capital, life span
of the solution, scrap value, depreciation method, tax credit
and non depreciated capital investments. Furthermore,
required working capital is taken into consideration, so are
generated cash flow, selection of the discount rate and
alternative risk-free market going rate. Also, a possibility
of loan and market capital borrowing rate is also
anticipated - for simplicity reasons in the outlined model,
investment is 100 % owned and external leverage is not
used.

Finally, growth rates for implicit revenues derived from
information security solution and fixed cost are set to zero,
meaning they are omitted from the model. These
parameters present input values of the model of cash flow
analysis of information security solution investment
project. The constructed model shows that by using the
initial assumptions of the model it is possible to calculate
the net present value, internal rate of return and the return
on capital when using such a solution. Further simulations
show that the internal rate of return is particularly sensible
to the following input parameters [27]:

1. Time (duration) of using the information security
solution,
2. Perceived (set in advance) ability of the information
security solution to generate the positive cash flow
during its lifetime,
3. Discount rate used.

Such model could be used in practice if the input
parameters are correctly estimated. Judging from
experience, the largest problem in forecasting is connected
to the ability to assess the generation of the positive cash
flow by avoiding costs related to the occurrence of security
incidents.

VI. CONCLUSION
Enterprises and organizations which operate in the modern
environment (especially in the service sector) are faced
with the challenges of the modern dematerialized
economy. Because of that, one of the new business
functions arose in the last few decades the business
function of information security, augmented by the
increased usage of networking and communication
technologies. The roots of information security are in the
defense sector and high technology sector, and it was
firstly implemented by those enterprises which possess the
advantage over their competitors because of new ideas,
inventions and patents. Due to the increased number of
threats, and the existence of information assets which
could be compromised by those threats, even the smallest
companies nowadays have to pay due attention to
information security to avoid the occurrence of security
incidents which could compromise the competitiveness
and even the existence of such companies. Therefore,
securing of the normal functioning of the enterprise by
means of information security is no longer reserved for the
corporate sector, it is equally important for small
companies, all the way down to the level of individual
entrepreneurs.
The demands for ensuring the satisfactory level of
information security are also set by the legal system, trying
to regulate and to positively influence the companies
which have a strategic interest to the state, primarily the
financial sector. Such demands are the legal requirements
which those companies have to meet. As a rule, such
MIPRO 2014/DE-GLGPS 1771
demands are not imposed on other companies, they have to
assess themselves (according to their business plans,
financial and human resources and risk assessment) the
profitability of information security investments. When
doing so, the benefits of information security system
implementation are primarily compared to implementation
and maintenance costs. According to this evaluation,
investment decisions should be made. The estimation of
total cost of implementation and maintenance of the
information security solution is further hampered because
of the different ways of achieving such goals: it can be
achieved both by capital investments (real investments) in
information security solutions and by presenting
information security solutions as "running costs" or
maintenance costs. Suppliers of information security
solutions are trying to adapt the solution functionalities to
fit various customer needs and their financial abilities at
the given moment. In any case, information security
solutions carry with them substantial maintenance costs.
The main problem when deciding about investing in
information security solutions is how to decide between
the two opposite investment viewpoints. The first, techno
centric viewpoint, is often advocated by information
security experts employed in an enterprise. Their primary
focus is on risk assessment, so when trying to minimize
security risks they sometimes suggest uneconomic
information security investments. On the other hand,
enterprise management as a rule lacks understanding of the
technical aspects of information security and would prefer
that such investments are avoided, because the necessary
input for argumented decision making is often not
presented to them, while they are concerned primarily
about benefits of information security solutions for the
enterprise

as a whole. A key factor when investing in
information security solutions is to find the balance
between the techno centric and financial perspectives. In
reality, the scales are usually tipped to one side, and the
misbalance will either cause reduced business performance
of an enterprise or implicit exposing to high levels of risk
related to information security.
as shown in this paper, when deciding about information
security investments, classic methods of economic and
financial (cash) flow can be used. A problem of
determining input parameters arises, and similar to usual
models (investing into manufacturing equipment, project
investments), the largest problem is determining the
income part, which can be identified as avoided
damages in the case of security incidents which could
happen if the information security solution is not
implemented. Such a model has been proposed and
empirically documented using proprietary data. Related
data is often not publicly available, and even the
specialized consulting firms do not have them, because
such data is extremely dependant on the type of business
and type of enterprise. It might be only partially available
for financial institutions, because of legal regulations
regarding financial information security. The method
which could be used is a modified Internal Rate of Return,
adapted to suit the information security paradigm, with the
input parameters modified to specific demands of investing
in information security.

REFERENCES
[1] Hirshleifer, J., Riley, John G., "The Analytics of
Uncertainty and Information", Cambridge Surveys of
Economic Literature, Cambridge, UK, 1992.
[2] Shim, K. Jae; Siegel, Joel G.: "Handbook of
Financial Analysis, Forecasting and Modeling", CCH,
2007.
[3] Ostrom, T. Lee; Wilhelmsen C.: "Risk Assessment:
Tools, Techniques, and Their Applications", Wiley, 2012.
[4] Hiles, A: "Enterprise Risk Assessment and Business
Impact Analysis: Best Practices", Rothstein Associates
Inc., 2002.
[5] Aksentijevi, S.: Integral protection and
information security management system Saipem
Mediteran Usluge d.o.o, Rijeka, unpublished, 2008.
[6] Maddock, V: "IT Induction and Information
Security Awareness: A Pocket Guide",It Governance Ltd.,
2010.
[7] Phillips, Pulliam P., Phillips, J. J.: "Return on
Investment (ROI) Basics (ASTD Training Basics)", ASTD
Press, 2006.
[8] Brcar, F., Bukovec, B., "Analysis of Increased
Information Technology Outsourcing Factors",
Organizacija, Volume 46, Number 1, January-February
2013.
[9] Dempsey, P.: "Hidden Costs: The iceberg that could
sink your company: Kaizen and Copq, Relentless
Opportunity", Xlibris, Corp., 2012.
[10] Palmer, R.: "Maintenance Planning and
Scheduling Handbook", Xlibris, Corp., 2012.
[11] Larman, C., Vodde, B.: "Scaling Lean & Agile
Development: Thinking and Organizational Tools for
Large-Scale Scrum", Addison-Wesley Professional, 2008.
[12] Pinto, J.E. et. al.: "Equity Asset Valuation", Wiley,
2010.
[13] George, J.A., Rodger, J.A.: "Smart Data:
Enterprise Performance Optimization Strategy", Wiley,
2010.
[14]Conyngton, H.R.: "Financing an enterprise", Ulan
Press, 2012.
[15] Mian, M.A.: "Project Economics and Decision
Analysis, Volume 1: Deterministic models", PennWell
Corp., 2011.
[16] Yescombe, E.R.: "Principles of Project Finance",
Academic Press, 2002.
[17] Malik, Krishan A., Petroleum Project Evaluation
& Investment Decision Making, Institute for Petroleum
Development, Austin, Texas, 2011.
[18] Mulford, C.W.: "Creative Cash Flow Reporting:
Uncovering Sustainable Financial Performance", Wiley,
2005.
1772 MIPRO 2014/DE-GLGPS
[19] Marks, K.H.: "The Handbook of Financing
Growth: Strategies, Capital Structure, and M&A
Transactions", Wiley, 2009.
[20] Zeevi, Z.: "Methods for financial effectiveness
evaluation of investment projects",
http://www.scribd.com/doc/75998229/Metode-Za-Ocjenu-
Financijske-Efikasnosti (25.11.2012.)
[21] Voss, J.A.: "Valuation Techniques: Discounted
Cash Flow, Earnings Quality, Measures of Value Added,
and Real Options", Wiley, 2012.
[22] Bojanc, R., Jerman-Blazic B.,"Quantitative Model
for Economic Analyses of Information Secutiy Investment
in an Enterprise Information System", Organizacija,
Volume 45, Number 6, November-December 2012.
[23] Pratt, S.P., Grabowski, R.J.: "Cost of Capital:
Applications and Examples", Wiley, 2010.
[24] Tipton, H.F., Krause, M.: "Information Security
Management Handbook", 6th Edition, CRC Press, 2007.
[25] Elton, Edwin J.; Gruber, Martin J.,, Brown,
Stephen J.,. Goetzmann, William N, Modern Portfolio
Theory and Investment Analysis, VIII ed., Wiley, Bognor
Regis, West Sussex, 2009.
[26] Tapiero, C.S.: "Risk Finance and Asset Pricing:
Value, Measurements, and Markets", Wiley, 2010.
[27] Phillips, Pulliam P., Phillips, J. J.: "Return on
Investment (ROI) Basics (ASTD Training Basics)", ASTD
Press, 2006.
MIPRO 2014/DE-GLGPS 1773