A recent article discussed several myths and realities related to investments in information security. IS investments are very complicated, since companies must provide the "confidentiality, integrity, and availability of information, while also assuring authenticity and non repudiation…." That is to say, data needs to be protected against unknown change and kept away from non-authorized persons, while at the same time assuring that those who have legitimate business with that data are allowed full access.
Because of the complicated nature of many businesses, CxOs rightfully demand some monetary justification for pumping money into security rather than other projects that also need funding. According to the authors of this article, the traditional accounting measure, ROI, does not completely capture the benefits and risks associated with Information Security, so other measures must be used to find a project's Return on Security Investments (ROSI).
The first myth dispelled in the article is that "the accounting concept of 'return on investment' is an appropriate concept for evaluating information security investments." The problem with ROI is that it is an historical accounting measure. The IRR, an economic measure of future asset values and discounted cash flows, is a truer measure.
The second myth is that "Maximizing the IRR on information security investments is an appropriate objective." That is, the highest IRR is not necessarily the best choice. The amount of investment that yields the greatest net benefit is the one that should be used. The IRR measures a percentage return, not an actual return, so the IRR is used to a point, but to determine the actual amount to invest, the proportion with the largest actual return should be used. I'm not so sure that I agree with this point, but of course none of my articles have been published in Strategic Finance yet. What it looks like to me is that if another project has a higher marginal IRR, it will have a higher present value than the IS project, so the alternative project should receive the additional funding. This may be implied, but the article seems to focus on comparing a project's IRR only to itself, not to alternative projects.
The third myth is that "IRR and NPV are ex post metrics for evaluating the actual performance of information security investments." IRR is used to anticipate the returns of a project. Going back to measure the actual return on a project once it has been completed is called "post-auditing." Because of the nature of security investments, the more successful a project turns out to be, the fewer security problems will be seen, and the harder it will be to measure how successful it was. So the most successful project will result in no one even thinking about the security plan.
The fourth myth is that "it's appropriate to invest in security activities up to the level where the investments equal the expected loss from security breaches." The probability of an event taking place must be factored in when determining the present value of those investments. So, with this final point, the authors tell us that optimal level of security investments must be found, not just the project's rate of return.
In their research, they have found that on average, a maximum of about one-third of the expected potential loss should be invested in preventing that loss. By investing more than this, the amount spent preventing a loss approaches the amount of the loss. By investing less than this, a firm leaves its systems completely open.
Gordon, L.A. & Loeb, M.P. (2002). Return on information security investments: Myths vs realities. Strategic Finance, 84(5).