�ݺ�ߣ

Finance for Hackers or How to get all the budget you deserve Nick Owen @wikidsystems

Compliance vs Security http://www.flickr.com/photos/turbojoe/556776940/

How much security? http://prairiepathways.com/Postcards_from_Kansas/

How is value created? �� When you're working for a business only 2 things matter ...the top line and bottom line. Translated into normal speak that means you need to contribute to the business in one of two ways: > help the business make money (adding to the top line) > help the business save money (managing the bottom line) If you're not working to one of those two goals, you're wasting company resources.�� Rafal Los http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/Business-Relevant-Information-Security-The-Top-and-Bottom-Lines/ba-p/4823525

Why should I care? Because you work there.

The SEC cares CF Disclosure Guidance: Topic No. 2, 10/13/2011 Analyze Cyber Security Risks, including frequency and impact and if material, you might have to disclose.

Goals Provide infosec pros with the tools to talk to business, in particular, finance Improve understanding of infosec's impact on business Review some current developments on risk management Consider Buy, Build or Rent & Acquisition

Which Project? Investment $1,000,000 $10,000,000 Net Income $200,000 $2,000,000 ROI 20% 20%

What's Investment? Year 1 Year 2 Investment $10,000,000 $6,666,666 Net Income $200,000 $2,000,000 ROI 20% 30%

NPV WACC 10.00% Revenue 100 100 100 100 100 Expenses 70 70 70 70 70 Taxes 9 9 9 9 9 NOPAT 21 21 21 21 21 NPV $79.61

Reduced WACC WACC 9.00% Revenue 100 100 100 100 100 Expenses 70 70 70 70 70 Taxes 9 9 9 9 9 NOPAT 21 21 21 21 21 NPV $81.68

How to create value? Improve return on existing base of capital Invest where return is > WACC Divest where return is < WACC For infosec: manage the risk of a cash flow stream so the cost of capital is less than the firm's WACC. Avoid Losses that decrease the return on existing capital.

How is WACC calculated Where Sigma is ��Ask your CFO��

WACC Cost of all your sources of financing Sum of cost of debt, equity, retained earnings, etc. 50% debt at 10% and 50% equity at 15% = 12.5%

Return on Equity Capital Asset Pricing Model: Ra = Rf + beta(Rm-Rf) Rf = Risk-free Rate Beta = relative volatility vs market Rm = expected market return IE: Investors want to be compensated for time-value of money and risk

Estimating WACC US Gov't Bonds: 1% Credit Cards: 25% Venture Capital: 50%

Economic Profit Economic profit aka EVA ? Works in projections and in real life Operational Includes Balance Sheet & P&L Introduces Off-Balance sheet/P&L Items

Economic Profit WACC 10.0% 10.0% 10.0% 10.0% 10.0% Capital Base 200 200 200 200 200 Revenue 100 100 100 100 100 Expenses 70 70 70 70 70 Taxes 9 9 9 9 9 NOPAT 21 21 21 21 21 Cap Charge 20 20 20 20 20 Econ Profit 1 1 1 1 1

Cash Machine WACC 10.0% 10.0% 10.0% 10.0% 10.0% Capital Base 200 221 244 278 327 Revenue 100 111 134 167 217 Expenses 70 77 85 97 114 Taxes 9 10 14 21 31 NOPAT 21 23 34 49 71 Cap Charge 20 22 24 28 33 Econ Profit 1 1 9 21 39

A bonus plan for 5 guys 1 st plan: The biggest credit card payment 2 nd plan: Everybody is in the money 3 rd plan: 1/3 of economic profit

Economic Profit Bonus Assume $600,000 in Capital at 20% Revenue 100 110 125 100 Expenses 60 60 70 70 Taxes 10 10 10 10 Capital Charge 10 10 12.5 10 Econ profit 20 30 35 10 Bonus 0 0 28.33 25.00 Plow-back 56.66 50.00

Reducing WACC WACC 10.0% 9.0% 9.0% 9.0% 9.0% Capital Base 200 200 200 200 200 Revenue 100 100 100 100 100 Expenses 70 70 70 70 70 Taxes 9 9 9 9 9 NOPAT 21 21 21 21 21 Cap Charge 20 18 18 18 18 Econ Profit 1 3 3 3 3

Buy, Build or Rent? Buy: $100,000 plus 18% per year ($18k) Build: $150,000 plus 8% per year ($12k) Rent: $25,000/year

Rent Buy: ($100,000 * 9% ) + $18,000 = $27,000/yr Build: ($150,000 * 9%) + $12,000 = $25,500 Rent: $25,000

Acquisition �� We're going to invest $75 in a company that has $100 in revenues and projected NOPAT of $21 per year for 5 years. Will there be additional IT costs or investment needed for security? Are their potential losses?��

NPV of Project X WACC 5.00% Investment -$75 Revenue 100 100 100 100 100 Expenses 70 70 70 70 70 Taxes 9 9 9 9 9 NOPAT 21 21 21 21 21 NPV $15.16

Improving Risk Management Source: A New Approach for Managing Operational Risk

Actuarial Methods Internal & External Data/��Soft�� data and ��hard�� data Threat Landscape Loss analysis Frequency Ease of attack Control Strength

Value at Risk Russell Cameron Thomas: Meritology

Add Expected Loss WACC 5.00% Investment -$75 Revenue 100 100 100 100 100 Expenses 70 70 70 70 70 Expected Loss 2 2 2 2 2 Taxes 8.4 8.4 8.4 8.4 8.4 NOPAT 19.6 19.6 19.6 19.6 19.6 NPV $9.39

Add Unexpected Loss? WACC 5.00% Investment -$75 Revenue 100 100 100 100 100 Expenses 70 70 70 70 70 Expected Loss 2 2 2 2 2 Unexpected Loss 0 0 0 0 20 Taxes 8.4 8.4 8.4 8.4 2.4 NOPAT 19.6 19.6 19.6 19.6 5.6 NPV -$1.06

Annual cost of Unexpected Loss? SoA suggests UL x WACC $20,000,000 x .05 = $1,000,000 But where to put it?

Add Unexpected Loss Capital Base 75 75 75 75 75 Revenue 100 100 100 100 100 Expenses 70 70 70 70 70 Expected Loss 2 2 2 2 2 Taxes 8.4 8.4 8.4 8.4 8.4 NOPAT 19.6 19.6 19.6 19.6 19.6 Cap Charge 3.75 3.75 3.75 3.75 3.75 Economic Profit 15.85 15.85 15.85 15.85 15.85 WACC x UL 1 1 1 1 1 Risk-Adjusted EP 14.85 14.85 14.85 14.85 14.85

Push the curve Difference between UL 1 and UL 2 == Sleep at night

Invest to reduce risk Capital Base 75 77 77 77 77 Revenue 100 100 100 100 100 Expenses 70 72 72 72 72 Expected Loss 5 3 3 3 3 Taxes 7.5 7.5 7.5 7.5 7.5 NOPAT 17.5 17.5 17.5 17.5 17.5 Cap Charge 7.5 7.7 7.7 7.7 7.7 Economic Profit 10 9.8 9.8 9.8 9.8 WACC x UL 5 3 3 3 3 Risk-Adj EP 5 6.8 6.8 6.8 6.8

Wrong Way Added expected losses Added Unexpected losses

New Buy, Build, Rent Buy: ($100,000 * 9% ) + $18,000 = $27,000/yr Build: ($150,000 * 9%) + $12,000 = $25,500 Rent: $25,000 + Change in EL + Change in UL x WACC == probably worse

When vendors increase risk Capital Base 75 75 75 75 75 Revenue 100 100 100 100 100 Expenses 70 69 69 69 69 Expected Loss 5 7 7 7 7 Taxes 7.5 7.2 7.2 7.2 7.2 NOPAT 17.5 16.8 16.8 16.8 16.8 Cap Charge 7.5 7.5 7.5 7.5 7.5 Econ Profit 10 9.3 9.3 9.3 9.3 WACC x UL 5 10 10 10 10 Risk-Adj EP 5 -0.7 -0.7 -0.7 -0.7

But Nick! My CFO has never heard of Economic Profit!

Questions for your CFO What's our WACC or what should I use as a target cost of capital? If I retire an asset, can you write it off? What is the impact? How should I estimate an annual cost of infrequent very bad events if that unexpected loss could be $X? If I determine that our risks have dramatically increased, can I request emergency budget $Y?

Reducing Business Risk "No sooner is one problem solved than another surfaces��never is there just one cockroach in the kitchen." Warren Buffet

InfoSec & Economic Profit Reduce invested capital �C don't play capex/opex games (if your company does...) Reduce expenses 'Necessary but not sufficient' e.g firewalls Non-core: move to services over software �C eg. Waf, anti-virus, scanning unless it increases the threat landscape, then choose wisely.

In sum? Do analysis like a financial analyst Do as deep analysis as is needed for your firm Differentiate between average risk and infrequent, but bad risk Be aware of threat landscape Be ready to adjust quickly Good companies do most things well.

Sources/Suggestions The Quest for Value �C G. Bennett Stewart III A New Approach for Managing Operational Risk http://www.soa.org/files/pdf/research-new-approach.pdf Society for Information Risk Analysts: http://societyinforisk.org/

Questions? Nick Owen @wikidsystems [email_address] 404-962-8983 http://www.wikidsystems.com

�ݺ�ߣ

Finance for hackers

More Related Content

Finance for hackers

Editor's Notes