NPV incorporates costs, expected returns via savings or revenue and a
risk-adjusted rate of return. As such it is a very good measure
particularly at the start of a project. A cap rate will do the same
thing *if* the savings are static over time.
Economic profit (also known by the trademarked term EVA) is a good
metric for ongoing analysis or for creating an incentive system that
assures projects return more than their cost of capital.
What you might want to do is put all the numbers you have in a
spreadsheet, then calculate the ROI, Payback, NPV etc. in one sheet for
review. Then, if they are different, why? If they all point in the same
direction, what if some variables change? Where are the sensitivities?
The real trick will be adjusting the rate of return for a project based
on that project's riskiness relative to the firm's weighted average cost
of capital. This can really skew the numbers. As with any analysis, the
depth of your work to justify assumptions is where the meat of the
matter lies. You should reach a point in your analysis where it is
clear that you've done enough to justify a decision. I've chewed on
this some, but haven't put anything in writing yet. If you're
interested, let me know and I'll let you know when I do.
On Tue, 2005-01-18 at 16:56 +0100, Zaklina Supica wrote:
Nick,
Thanks for your answer. I'm aware of situation that every organization
has different process of ISMS implementation. What I'm trying to do is
to analyze and find the best way how to calculate security investment.
Is it a cap, ROI, NVP... or some other known method, to me it doesn't
matter.
I will appreciate every good advice on that subject. I just want to see
as realistic number as possible.
Zaklina
-----Original Message-----
From: Nick Owen [mailto:nickowen@mindspring.com]
Sent: Monday, January 17, 2005 9:00 PM
To: Zaklina Supica
Cc: security-management@securityfocus.com
Subject: Re: ROSI
Zaklinka:
You won't be able to find much, if anything about the economics of
implementing BS 7799 because I suspect that each implementation would be
very different and that no one has aggregated the information - perhaps
because few companies actually track it. Rather, they are forced to
comply to some standard by a large customer or a government regulation.
As for ROSI, I'm not a fan of ROI and its ilk as it can lead to
distortions in decision making, in particular for info sec. Information
security investments should be about risk mitigation and ROI doesn't
take risk into account. Say you have two projects: invest $20k and
return $2k/period and invest $10k and return $1k/period. The ROI and
payback are the same. But, if the first project is riskier than the
second, you should do the second. ROI won't tell you that. Using a Cap
rate, NPV, IRR or economic profit would.
You can read more at my (new) blog:
http://www.wikidsystems.com/WiKIDBlog,
HTH,
nick
On Sat, 2005-01-15 at 12:14 +0100, Zaklina Supica wrote:
Hi,
I'm very interested in some data about ROSI in general, and some
figures ($) about ROSI and BS 7799 complied ISMS (if they exist).
Thanks,
Zaklina Supica
Tel: +385 1 6129 781
Fax: +385 1 6129 889
http://security.lss.hr
