Finance for hackers
-
Upload
nick-owen -
Category
Economy & Finance
-
view
419 -
download
4
description
Transcript of Finance for hackers
Finance for Hackersor
How to get all the budget you deserve
Nick Owen
@wikidsystems
About me
Compliance vs Security
http://www.flickr.com/photos/turbojoe/556776940/
How much security?
http://prairiepathways.com/Postcards_from_Kansas/
How is value created?“When you're working for a business only 2 things
matter ...the top line and bottom line. Translated into normal speak that means you need to contribute to the business in one of two ways:
> help the business make money (adding to the top line)
> help the business save money (managing the bottom line)
If you're not working to one of those two goals, you're wasting company resources.”Rafal Los
http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/Business-Relevant-Information-Security-The-Top-and-Bottom-Lines/ba-p/4823525
Why should I care?
Because you work there.
The SEC cares
CF Disclosure Guidance: Topic No. 2, 10/13/2011
Analyze Cyber Security Risks, including frequency and impact and if material, you might have to disclose.
Goals
Provide infosec pros with the tools to talk to business, in particular, finance
Improve understanding of infosec's impact on business
Review some current developments on risk management
Consider Buy, Build or Rent & Acquisition
Which Project?
Investment $1,000,000 $10,000,000
Net Income $200,000 $2,000,000
ROI 20% 20%
What's Investment?
Year 1 Year 2
Investment $10,000,000 $6,666,666
Net Income $200,000 $2,000,000
ROI 20% 30%
NPV
WACC 10.00%
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Taxes 9 9 9 9 9
NOPAT 21 21 21 21 21
NPV $79.61
Value
How is value created?
NPV
WACC 10.00%
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Taxes 9 9 9 9 9
NOPAT 21 21 21 21 21
NPV $79.61
Reduced WACC
WACC 9.00%
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Taxes 9 9 9 9 9
NOPAT 21 21 21 21 21
NPV $81.68
How to create value?
Improve return on existing base of capital
Invest where return is > WACC
Divest where return is < WACC
For infosec: manage the risk of a cash flow stream so the cost of capital is less than the firm's WACC.
Avoid Losses that decrease the return on existing capital.
How is WACC calculated
Where Sigma is “Ask your CFO”
WACC
Cost of all your sources of financing
Sum of cost of debt, equity, retained earnings, etc.
50% debt at 10% and 50% equity at 15% = 12.5%
Return on Equity
Capital Asset Pricing Model:
Ra = Rf + beta(Rm-Rf) Rf = Risk-free Rate
Beta = relative volatility vs market
Rm = expected market return
IE: Investors want to be compensated for time-value of money and risk
Volatility
A CFO's Dream Earnings
Estimating WACC
US Gov't Bonds: 1%
Credit Cards: 25%
Venture Capital: 50%
Economic Profit
Economic profit aka EVA ™– Works in projections and in real life– Operational– Includes Balance Sheet & P&L – Introduces Off-Balance sheet/P&L
Items
Economic Profit
WACC 10.0% 10.0% 10.0% 10.0% 10.0%
Capital Base 200 200 200 200 200
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Taxes 9 9 9 9 9
NOPAT 21 21 21 21 21
Cap Charge 20 20 20 20 20
Econ Profit 1 1 1 1 1
Cash MachineWACC 10.0% 10.0% 10.0% 10.0% 10.0%
Capital Base 200 221 244 278 327
Revenue 100 111 134 167 217
Expenses 70 77 85 97 114
Taxes 9 10 14 21 31
NOPAT 21 23 34 49 71
Cap Charge 20 22 24 28 33
Econ Profit 1 1 9 21 39
A bonus plan for 5 guys
1st plan: The biggest credit card payment
2nd plan: Everybody is in the money
3rd plan: 1/3 of economic profit
Economic Profit Bonus
Revenue 100 110 125 100
Expenses 60 60 70 70
Taxes 10 10 10 10
Capital Charge 10 10 12.5 10
Econ profit 20 30 35 10
Bonus 0 0 28.33 25.00
Plow-back 56.66 50.00
Assume $600,000 in Capital at 20%
Reducing WACC
WACC 10.0% 9.0% 9.0% 9.0% 9.0%
Capital Base 200 200 200 200 200
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Taxes 9 9 9 9 9
NOPAT 21 21 21 21 21
Cap Charge 20 18 18 18 18
Econ Profit 1 3 3 3 3
Buy, Build or Rent?
Buy: $100,000 plus 18% per year ($18k)
Build: $150,000 plus 8% per year ($12k)
Rent: $25,000/year
Rent
Buy: ($100,000 * 9% ) + $18,000 = $27,000/yr
Build: ($150,000 * 9%) + $12,000 = $25,500
Rent: $25,000
Acquisition
“We're going to invest $75 in a company that has $100 in revenues and projected NOPAT of $21 per year for 5 years. Will there be additional IT costs or investment needed for security? Are their potential losses?”
NPV of Project XWACC 5.00% Investment -$75
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Taxes 9 9 9 9 9
NOPAT 21 21 21 21 21
NPV $15.16
ALE?
Improving Risk Management
Source: A New Approach for Managing Operational Risk
Actuarial Methods
Internal & External Data/“Soft” data and “hard” data
Threat Landscape
Loss analysis
Frequency
Ease of attack
Control Strength
Statistical Analysis
ALE 2.x
Expected & Unexpected
Value at Risk
Russell Cameron Thomas: Meritology
Add Expected LossWACC 5.00% Investment -$75
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Expected Loss 2 2 2 2 2
Taxes 8.4 8.4 8.4 8.4 8.4
NOPAT 19.6 19.6 19.6 19.6 19.6
NPV $9.39
Add Unexpected Loss?WACC 5.00% Investment -$75
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Expected Loss 2 2 2 2 2
Unexpected Loss 0 0 0 0 20
Taxes 8.4 8.4 8.4 8.4 2.4
NOPAT 19.6 19.6 19.6 19.6 5.6
NPV -$1.06
Annual cost of Unexpected Loss?
SoA suggests UL x WACC$20,000,000 x .05 = $1,000,000
But where to put it?
Add Unexpected LossCapital Base 75 75 75 75 75
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Expected Loss 2 2 2 2 2
Taxes 8.4 8.4 8.4 8.4 8.4
NOPAT 19.6 19.6 19.6 19.6 19.6
Cap Charge 3.75 3.75 3.75 3.75 3.75
Economic Profit 15.85 15.85 15.85 15.85 15.85
WACC x UL 1 1 1 1 1
Risk-Adjusted EP 14.85 14.85 14.85 14.85 14.85
Push the curve
Difference between UL1 and UL
2
== Sleep at night
Invest to reduce riskCapital Base 75 77 77 77 77
Revenue 100 100 100 100 100
Expenses 70 72 72 72 72
Expected Loss 5 3 3 3 3
Taxes 7.5 7.5 7.5 7.5 7.5
NOPAT 17.5 17.5 17.5 17.5 17.5
Cap Charge 7.5 7.7 7.7 7.7 7.7
Economic Profit 10 9.8 9.8 9.8 9.8
WACC x UL 5 3 3 3 3
Risk-Adj EP 5 6.8 6.8 6.8 6.8
Revising BBR Scenario
Vendor-in-the-middle
Wrong WayAdded expected losses
Added Unexpected losses
New Buy, Build, Rent
Buy: ($100,000 * 9% ) + $18,000 = $27,000/yr
Build: ($150,000 * 9%) + $12,000 = $25,500
Rent: $25,000 + Change in EL + Change in UL x WACC == probably worse
When vendors increase riskCapital Base 75 75 75 75 75
Revenue 100 100 100 100 100
Expenses 70 69 69 69 69
Expected Loss 5 7 7 7 7
Taxes 7.5 7.2 7.2 7.2 7.2
NOPAT 17.5 16.8 16.8 16.8 16.8
Cap Charge 7.5 7.5 7.5 7.5 7.5
Econ Profit 10 9.3 9.3 9.3 9.3
WACC x UL 5 10 10 10 10
Risk-Adj EP 5 -0.7 -0.7 -0.7 -0.7
But Nick!
My CFO has never heard of Economic Profit!
Not so dreamy earnings
Questions for your CFO
What's our WACC or what should I use as a target cost of capital?
If I retire an asset, can you write it off? What is the impact?
How should I estimate an annual cost of infrequent very bad events if that unexpected loss could be $X?
If I determine that our risks have dramatically increased, can I request emergency budget $Y?
Reducing Business Risk
"No sooner is one problem solved than another surfaces—never is there just one cockroach in the kitchen."Warren Buffet
Sony vs Cannon, Japan
AAPL vs Sony
InfoSec & Economic ProfitReduce invested capital – don't play
capex/opex games (if your company does...)
Reduce expenses
'Necessary but not sufficient' e.g firewalls
Non-core: move to services over software – eg. Waf, anti-virus, scanning unless it increases the threat landscape, then choose wisely.
In sum?
Do analysis like a financial analyst
Do as deep analysis as is needed for your firm
Differentiate between average risk and infrequent, but bad risk
Be aware of threat landscape
Be ready to adjust quickly
Good companies do most things well.
Sources/Suggestions
The Quest for Value – G. Bennett Stewart III
A New Approach for Managing Operational Risk http://www.soa.org/files/pdf/research-new-approach.pdf
Society for Information Risk Analysts: http://societyinforisk.org/