Tuesday, August 5, 2008

Valuing Disk Encryption

I recently finished taking a finance class where we talked about concepts like Net Present Value (NPV), present values of perpetuities, Weighted Average Cost of Capital (WACC) and Capital Asset Pricing Model (CAPM). Part of the class covered project management and how to select projects based on the benefit that will come to the company while adjusting for the time value of money. This led me to wonder how I could use this new information to put a value on our Pointsec full disk encryption project.

First, I'm going to give a brief description of these finance terms that I used above since this is a security blog and I don't know if everyone reading this knows these terms. Net Present Value provides you with a way of putting a concrete value on a future stream of money. So, for example, if you were going to save $1000 each year for three years, and you paid $1200 to do so, was it a good investment? Generally, if NPV is a positive number then you should take the project. Present Value of a perpituity is the same concept. If you want to get a 4% return on your money and some investment is going to pay you $1000 per year forever, then what is it worth paying to get that? For the sake of this conversation, WACC shows how much it costs your organization to raise money, and it is used to calculate the required rate of return for a project to be profitable.

Let's use this information to examine our Pointsec disk encryption project. We have a laptop computer lost or stolen approximately once each year. I have estimated that when the laptop is not encrypted it costs my organization about $2000 in employee time and notification costs. If the laptop is encrypted then it probably only takes about $200 in employee time to verify that, file the report, and move on. So if we encrypt all of our laptop comptuers then we can expect to save $1800 per year.

In order to put a present value on these cash flows, we need to know what the discount rate is going to be. I have no idea what is a good number, but I figure since I work for a government entity, our cost of capital is pretty low. I'm going to estimate a 3% discount rate. Someone can tell me later if that number is way off.

Next we need to decide how long we expect to receive that $1800 cash flow. My first answer was to take the average lifetime of a laptop computer before it is refreshed. In our case, that is about five years. So what is the value of that cash flow? $1800/year at 3% for five years is worth $8,243.47. That means that if we can do the project for less than $8243.47 then we used the money well. I'm not going to go into specifics on how many machines we own or what kind of pricing we have with Checkpoint software, but it cost us about $8000 for licensing. That means in order for the project to be profitable we would have to have implementation costs of less than $243.47. Not likely. Also, if we were to buy a few dozen more laptop computers, then the benefit wouldn't even cover the cost of licenses. To be fair, though, if we bough a few dozen more laptop computers then we might have more theft which would increase the value of the benefit.

But then I started to think more about the project. When each computer reaches its five year mark, it gets replaced with a new laptop that will need to be protected. So it isn't really accurate to put a five year life on the project. We're really looking at a savings of $1800/year forever. The present value of a perpetuity that pays $1800/year at 3% is $60,000! So by valuing the project this way, we can have implementation costs of up to $52,000 and still be profitable. That seems really high to me. I also think that it isn't fair to say that we're going to have this cash flow every year forever. For one thing, we don't even know if this technology is going to be necessary in ten years. Maybe all hard drives will be encrypted and we wont need to use software to do the job.

So how do we answer this question? I think for most pieces of equipment you would take the useful life of the asset and consider the cash flows for that lifespan plus the salvage value if you're able to sell the asset. Depending on the asset, this might be easy or difficult. If we were talking about a firewall, then you might look at your other assets and say "I usually get about five years out of something I purchase." Or you might talk to other companies of similar size and find out that most people get 7 years out of the asset. There was a four year gap between Office 2003 and Office 2007, so maybe when trying to decide the benefit of upgrading to Office 2007 you should assume a four year life.

Even without perfect information there are a few questions we can answer by taking the known variables to come up with the unknown to see if things pass the smell test. For example, we know that we're going to spend $8000 in licensing costs and we can estimate that we're going to spend another $6,000 in labor to install, maintain, and troubleshoot the product. If we assume that our required rate of return is 3% and that each incident costs us $1800, then how long would we have to get this benefit for it to be a profitable use of our money? According to my spreadsheet the answer is about 8 years, which seems fairly reasonable to me. We could also rearrange the equation to answer what the required rate of return must be for this project to be profitable after some number of years and see if that number is reasonable too.

In previous posts, I've compared the practice of information security to the Jedi and Sith of the Star Wars Universe. Using numbers like these to make a security decision is a great example of Form II lightsaber combat, which I'll be talking about in a future blog post.

No comments: