Security News > 2004 > June > Re: Security Expected To Take A Larger Bite Out Of IT Budgets
Forwarded from: Nick Owen ROI is a poor measure for all financial decisions. Information security just demonstrate it's major weakness - it ignores the cost of capital. What risk management projects do is reduce the cost of capital. Say you have two projects, one costs $1,000,000 and saves $100,000 a year; the other costs $100,000 and saves $10,000 a year. Which do you do? ROI and payback are the better for project A. However, what if project A is far riskier than project B? If your cost of capital for project A is 12%, doing project A is a *bad idea* because is creates only $833,333 in value. If the cost of capital for Project B is less than 10%, it is a good idea. ROI would have you do both. IMO, this unhealthy focus on a very poor measure is hurting information security. To suggest that my company should spend X% on security because our peers do is beyond absurd. How do I best my competition? There is no need for new ways to measure information security, they exist already: ROIC, EVA, etc. anything that includes at the cost of capital. -- Nick Owen CEO WiKID Systems, Inc. 404-962-8983 http://www.wikidsystems.com Two-factor authentication, without the hassle factor. InfoSec News wrote: