Posted by:
admin
17 years, 1 month ago
In my first post, I discussed the short-comings of ROI as an analysis tool for information security projects because it doesn't include a cost of capital. Using a cap rate will increase the accuracy of your analysis, but how do you come up with a good cap rate?
First, start with your firm’s WACC. Ask your CEO or CFO. If you can get a bank loan of some kind, your cost of debt is whatever rate the bank gives you. Your cost of equity would be some where above that. Then look at the project. Will it create new avenues of attack and increase risks? Will a successful attack result in significant consequences? Will it increase the likelihood of injury? If so, what would be the cost? These are subjective questions. I find that when faced with subjective questions, it's helpful to weigh the answers and average the results.
Below is a short table that compares an existing, well protected LAN to the same network with a WiFi network added. You weigh the importance for each element. For example, while the loss of confidential information is high, perhaps it is unlikely that you would have to announce that publicly, perhaps because you are not subject to the California Database Protection Act, GLB or HIPAA.
Click here to see the table
You can create your own table of factors. For example, you might include a category on how a successful attack might impact your personal situation at the firm. In this example, we're positing that the wireless LAN is twice as risky as a wired LAN. If your firm's WACC is 10%, this project should be 20.7%. If the expected savings are $1,000, the investment better be less than $4828.
Share on Twitter Share on Facebook