ECONOMIC AND FINANCIAL ANALYSIS OF INVESTMENTS IN

INFORMATION SECURITY
Zvonko apko
1
, Saa Aksentijevi
2
, Edvard Tijan
3



1
University of Rijeka, Faculty of Economics
Ivana Filipovia 4, Rijeka, Croatia
Tel: +385 51 35 51 52 Fax: +385 212 268 E-mail: zvonko.capko@efri.hr
2
Aksentijevi Forensics and Consulting, Ltd.
Gornji Sroki 125a, Vikovo, Croatia
Tel: +385 51 65 17 00 Fax: +385 51 65 17 81 E-mail: axy@vip.hr
3
University of Rijeka, Faculty of Maritime Studies
Studentska 2, 51000 Rijeka, Croatia
Tel: +385 51 33 84 11 Fax: +385 51 33 67 55 E-mail: etijan@pfri.hr


MIPRO 2014.
STATEMENT OF THE PROBLEM
In companies, investment value of assets (which are owned or controlled by an
enterprise and which produce certain revenue) is evaluated against the related costs
(for example, maintenance, or procurement of raw materials).

Assets are usually divided into material assets (machinery, buildings), non-material
assets (patents, software, goodwill) and a special form of assets capable of intrinsic
reproduction, called financial assets
STATEMENT OF THE PROBLEM
Information Security Management Systems, or ISMS, (technically speaking) consist of the
following components, organized in a hierarchical manner:

Organizational forms ensuring the compliance with legal regulations
Organizational information policy, or the knowledge of users and management regarding the
functioning and managing of ISMS's, resulting in adequate application of risk removal
techniques by using hardware, software and orgware, often formalized by security certification
(e.g. ISO 27001:2005),
Computer hardware (servers, switches, computers, network devices, routers),
Computer software and applications.

STATEMENT OF THE PROBLEM

Several issues can be identified while tackling difficult choice of investing in own information
security assets in comparison to leasing the solution:

On a technical level, such divergence of possible solutions could create problems in terms of
constant demands for additional education, arising from quickly changing technologies.
On an economic level, the total investment cost can further be obscured.
On an operative level, a whole set of additional costs exist, related to the setup and functioning
of ISMS (application costs, ICT infrastructure etc.).

DIFFICULTIES IN DETERMINING THE INPUT PARAMETERS OF
ECONOMIC ANALYSIS
Difficulties in determination of input parameters of financial analysis in information security are
the following:

The decisions about ISMS investments depend upon the risk assessment as a
professional/specialist activity
The high level of substitutability of ISMS investments with the costs that can be considered
as operative costs often complicates investment decisions.
Software, hardware and telecommunication solutions obtained as long-term investments by
the enterprise usually imply the necessity of maintenance contracting
It is difficult to correctly predict the real residual value of certain information security
investments
Small and medium enterprises often lack the specific knowledge necessary to adequately
assess the influence of information security investments on enterprise performance

CHARACTERISTICS OF INFORMATION SECURITY INVESTMENTS'
ECONOMIC ANALYSIS



Those items which reduce the economic potential of the project or solution are considered
expenses. In this context, the expenses may be:

Initial investments in information security solution or project
Cost of project or solution maintenance
Material expenses for using the solution (electricity, utilities)
External services related to the solution (consulting)
Training costs for solution implementation (permanent employees)
Training costs for solution usage (permanent employees)
Gross salary for employees in charge of solution implementation (reduced to full time
equivalents)

CHARACTERISTICS OF INFORMATION SECURITY INVESTMENTS'
ECONOMIC ANALYSIS
From the static point of view of such a model of modified economic flow, initially justified security
investment would be the one in which the total, cumulative benefits (or the avoided cost of
security problems increased by the residual value) is larger than the cost of security solution
implementation Such situation is shown in the following table.






structure/period 1
AVOIDED
EXPENSES
...
RESIDUAL VALUE -
EXPENSES 2.1+2.2+2.3+2.4+2.5+2.
6+2.7
Security solution
investment
...
Maintenance costs ...
Material costs ...
External costs ...
Training costs for
solution
implementation
...
Training costs for
solution usage
...
Gross salary ...
NET EFFECT 1.+2.-3.
CHARACTERISTICS OF INFORMATION SECURITY INVESTMENTS'
ECONOMIC ANALYSIS
Similar to the economic flow method, unmodified financial flow method could also be applied to
information security solution investments only if the enterprise holds such solutions as assets
and leases them to other enterprises. Unlike the economic flow method, financial flow method
also takes into account sources of financing represented by cash inflow and obligations towards
sources of financing (outgoing interest), shown in the following table:







structure/perio
d
1
AVOIDED
EXPENSES
...
RESIDUAL
VALUE
-
FINANCING
SOURCES
3.1+3.2
Own sources ...
Loans ...
Expenses 2.1+2.2+2.3+2.4+2
.5+2.6+2.7
Security solution
investment
...
Maintenance
costs
...
Material costs ...
External costs ...
Training costs
for solution
implementation
...
Training costs
for solution
usage
...
Gross salary ...
Installment
(annuity)
...
NET EFFECT 1.+2.+3.-4.
CHARACTERISTICS OF INFORMATION SECURITY INVESTMENTS'
ECONOMIC ANALYSIS
.
In the dynamic analysis, classical dynamic methods could be used, as follows:

Return on investment rate representing the simplest criterion of financial decisions
regarding real investments. The method calculates the number of years necessary for the
project (in this context, information security asset or system) to return the invested funds. In
case that methodology calls for elimination of lack of incorporation of time value of money,
discounted cash flow method will be used
Discounted period of return method the variant of the above method in which time value
of money is incorporated in calculation.
Net present value method of investment in information security, represents the sum of
present values of resultant cash flows related to the same information security solution.
Internal rate of information security investment return representing the internal rate of
return (RoR) reducing the pure cash flows of using the information security solution to the
value of their investment flows.
Profitability index could be used as an added criterion of investment decisions. It
represents the ratio of discounted pure cash flows of information security solution during its
lifetime and the investment costs.







CHALLENGES IN APPLICATION OF INTERNAL RATE OF RETURN
(ROR) METHOD
When using the internal rate of return method in the analysis of information security investments,
several facts should be taken into consideration:


This method could not be used when analyzing or comparing investments into multiple
information security solutions, only when analyzing single investments due to the fact that the
obtained results are not comparable
The internal rate of return implies reinvesting the positive cash flow in projects or solutions
that have the similar rate of return, whether it is the case of reinvesting in similar solutions or
other comparable solutions. For that reason, the internal rate of return method will be used in
evaluating those projects in which the reinvested cash flow is directed into projects with
lesser rate of return. This is especially true for security solutions or projects with high rates of
return, because enterprises have difficulties in finding comparable reinvestment projects with
equally attractive rates of return.
As a rule, cash flows do not change from positive to negative and vice versa, and the last
cash flow is never negative. Therefore, the problem of multiple internal rates of return should
not exist.
The internal rate of return method will only provide a relative calculation of return for a given
security project or solution, not absolute.









ECONOMIC AND FINANCIAL ANALYSIS OF INVESTMENTS IN
INFORMATION SECURITY
Zvonko apko
1
, Saa Aksentijevi
2
, Edvard Tijan
3



1
University of Rijeka, Faculty of Economics
Ivana Filipovia 4, Rijeka, Croatia
Tel: +385 51 35 51 52 Fax: +385 212 268 E-mail: zvonko.capko@efri.hr
2
Aksentijevi Forensics and Consulting, Ltd.
Gornji Sroki 125a, Vikovo, Croatia
Tel: +385 51 65 17 00 Fax: +385 51 65 17 81 E-mail: axy@vip.hr
3
University of Rijeka, Faculty of Maritime Studies
Studentska 2, 51000 Rijeka, Croatia
Tel: +385 51 33 84 11 Fax: +385 51 33 67 55 E-mail: etijan@pfri.hr


MIPRO 2014.