DRAFT
ASSESSING CYBER SECURITY
INVESTMENT OPTIONS: AN
ECONOMIC VIEW
0
Xian Sun
Assistant Professor in Finance
Carey Business School
Johns Hopkins University
MODULE OUTLINE

Basic finance skills in decision making:



DRAFT

Time value of money
Net Present Value
Free Cash Flows
Decision making framework in cyber security
investment projects:
Benefits
 Costs
 Value-at-Risk model


Case study: 2013 Target data breach

Identify the costs of 2013 Target data breach and
benefits of its cyber investment.
1
OVERVIEW
Firms should undertake a project when and only
when it creates value.
 The challenges in evaluating cyber securities
projects are that their incremental values have
uncertainties and therefore are hard to measure
economically.
 This module is designed to introduce the basic
finance skills and framework used in decision
making, apply the framework to a real world case
and discuss what a traditional financial
framework can do for security spending decisions.

DRAFT
2
LEARNING OBJECTIVES
Introduce time value of money;
 Understand how to use NPV (net present value)
rule to make investment decisions;
 Introduce the benefits and costs associated with
cyber security investment decisions;
 Learn VaR (Value-at-risk) and its application in
cyber security investment decision making;
 Apply the benefit-cost framework to a real world
cyber event;
 Discuss the challenges in applying a traditional
economic model in cyber security decisions.

DRAFT
3
SHIFT IN CYBER SECURITY INVESTMENT
DECISIONS FROM TECHNICAL RISK TO BUSINESS
RISK

More companies treat cyber security as critical
business decisions.
DRAFT
Currently, about 10% of U.S. CISOs (chief
information security officers) report to CFOs (chief
financial officers) instead of to CIOs (chief
information officers) and the percentage is increasing
(Source: WSJ).
 “CFOs make cyber security decisions using the same
approach they use across other risk domains. Their
focus is on how cyber investments impact the bottom
line by preventing losses due to risks, or increasing
revenue …”, Steven Grossman, VP of Bay Dynamics.

4
BASIC FINANCE SKILLS IN DECISION
MAKING_TIME VALUE OF MONEY

Time value of money

DRAFT
Financial decisions often require combining cash
flows or comparing values. We use interest rate to
move money forward or backward in time.
5
THE 1ST RULE OF TIME TRAVEL

DRAFT

A dollar today and a dollar in one year are
not equivalent.
It is only possible to compare or combine values
at the same point in time.

Which would you prefer: A gift of $1,000 today or
$1,210 at a later date?

To answer this, you will have to compare the
alternatives to decide which is worth more. One
factor to consider: How long is “later?”
6
THE 2ND RULE OF TIME TRAVEL

To move a cash flow forward in time, you must
compound it.
DRAFT

Suppose you have a choice between receiving $1,000
today or $1,210 in two years. You believe you can
earn 10% on the $1,000 today, but want to know
what the $1,000 will be worth in two years.
FV = C * (1+r)n
7
THE 3RD RULE OF TIME TRAVEL

DRAFT

To move a cash flow backward in time, we must
discount it.
Present Value of a Cash Flow
PV  C  (1  r )
n
C

(1  r )n
8
BASIC FINANCE SKILLS IN DECISION
MAKING_NET PRESENT VALUE



Net Present Value compares the present value of cash
inflows (benefits) to the present value of cash outflows
(costs).
DRAFT

Calculating the NPV of future cash flows allows us to
evaluate an investment decision.
NPV = PV (all cash flows from the project)
= PV (Benefits) – PV (Costs)
Only projects with positive NPV will be accepted.
9
BASIC FINANCE SKILLS IN DECISION
MAKING_NPV RULES

Incremental Earnings

The amount by which the firm’s earnings are expected to
change as a result of the investment decision.
DRAFT

When evaluating the cash flows related with a project,
only the incremental earnings should matter.
10
EXAMPLES OF INCREMENTAL CASH FLOWS
Opportunity Cost :The value a resource could have
provided in its best alternative use. For example, if
an equipment will be housed in an existing lab, the
opportunity cost of not using the space in an
alternative way (e.g., renting it out) must be
considered.

Project Externalities : Indirect effects of the project
that may affect the profits of other business activities
of the firm. Cannibalization is when sales of a new
product displaces sales of an existing product.
DRAFT

11
EXAMPLES OF CASH FLOWS NOT INCLUDED IN
INVESTMENT DECISION MAKING

DRAFT

Sunk costs are costs that have been or will be paid
regardless of the decision whether or not the investment
is undertaken. Sunk costs should not be included in the
incremental earnings analysis.
Fixed Overhead Expenses: Typically overhead costs are
fixed and not incremental to the project and should not
be included in the calculation of incremental earnings.
12
BASIC FINANCE SKILLS IN DECISION
MAKING_NPV AND FREE CASH FLOWS

DRAFT
Therefore, what really matters in any investment
decision is the amount of the incremental cash flows
created by a project, or it is also referred to as free cash
flow.
13
ILLUSTRATE FREE CASH FLOWS IN CYBER
SECURITY SPENDING

The free cash flow concept helps us value cyber security
investment.
For example, even if a cyber security project that requires
initial investment but does not create cash inflows at all, the
NPV analysis may still yield positive value if the cyber project
reduces the existing cost of cyber breaches. The reduction in
the existing cost create incremental value to the firm by
releasing resources that would have been consumed without
undertaking the cyber project.
DRAFT

14
UNDERSTANDING THE BENEFITS AND
COSTS OF CYBER SECURITY PROJECTS

Benefits:

Direct:
DRAFT
Reduced opportunity costs (positive incremental value): the
investment in cyber security reduce the existing cost of
cyber breaches.
 Stability of the operating system and avoid loss from
system downtime.
 Indirect:
 Stronger partnership with suppliers.
 Attract more customers.
 Increase the value of the whole value chain.
 More sympathy from shareholders at the event of a cyber
security attack.

15
UNDERSTANDING THE BENEFITS AND
COSTS OF CYBER SECURITY PROJECTS

Costs:
Direct Costs: investment in systems, training
employees and/or outsourcing
 Indirect costs in the event of cyber security concerns:

DRAFT
Legal penalties;
 Loss of customers;
 Loss of partnerships/suppliers;
 Impair firm reputation and stock value slides;
 Spillover effects that impacts the future prospect of the
whole industry.

16
INDIRECT COSTS
Note that both the indirect benefits costs may
depend on the likelihood of a cyber security
event, which may be inversely impacted by the
amount directly invested in cyber security.
 Therefore, firms need to allocate resources
between these two options: one requires to
sacrifice resources now, and one requires later.
 The supplementary relationship between
spending now or later may be magnified or
moderated by broader factors, such as the
industry vulnerability to cyber security events,
the advances of information technology at
industry level, the connectedness among the
firms in the industry.

DRAFT
17
EVALUATING CYBER SECURITY
INVESTMENT BY VALUE-AT-RISK APPROACH


DRAFT

VaR (Value-at-risk) is a prevalent risk management
framework in financial industries where firms simulate
a distribution of returns on certain assets/investments
and measure the left tail risk (negative returns).
Because of the particular uncertain outcome of cyber
security project, VaR helps us understand the
incremental effect of cyber projects on firm’s existing
risk.
Again, it is the incremental effect on the current risk
management that matters. That is, does cyber project
improve the left tail risk and by how much.
18
VAR

DRAFT
VaR analysis would provide a good idea of the estimated economic
losses given the occurrence and therefore suggest the “cushion”
needed to cover the estimated losses or certain amount of the
unexpected losses. More and more U.S. CFOs who undertake the
role of supervising cyber security investment decisions have
started adopting VaR approach in estimating the occurrence of
such negative events and the dollar amount at stake upon the
occurrence.
19
LIMITATIONS OF


The estimation of the distribution of possible losses is
data driven. It would be difficult to generate a
meaningful VaR analysis with sparse data availability.
The distribution estimated using historical data may not
be a good indicator for future possible losses.
Both concerns may magnify when applying to cyber
security events.
DRAFT

VAR METHOD
20
APPLY THE BENEFIT-COST FRAMEWORK TO
A REAL WORLD CYBER EVENT

Target 2013 Data Breach

DRAFT

In 2013, Target Corporation’s (Target) security and payment
system was breached, compromising 40 million credit and
debit card numbers, along with 70 million addresses, phone
numbers and other personal information.
Read the provided Target packages about the articles of
Target data breach and summarize the costs of the 2013 data
breach and all the benefits of Target’s reaction to make new
investment in cyber security.
21
SUGGESTED SUMMARY OF BENEFITS AND
COSTS

Available to students after class discussion
DRAFT
22
DRAFT
DISCUSS THE CHALLENGES IN APPLYING A
TRADITIONAL ECONOMIC MODEL IN CYBER
SECURITY DECISIONS.
23