Home » Security Leadership » Metrics/Budgets

Security and Business: Financial Basics

You need to find and use the right financial metrics to communicate security's value to your company. Here are pros and cons of four: TCO, ROI, EVA and ALE.

He says that measuring TCO can help firms realize just what they're spending, and for what. Ideally, he likes to contrast those with the potential losses, but even in the physical security world, annualized loss estimates "are difficult to get," he says.
EVA (Economic Value Added)
The best-known version of EVA was developed and trademarked by Stern Stewart and offers a way to measure financial performance for business units. It was not developed for information security. In fact, it's meant to be a metric that shows financial return, which may be why it was the least known of the financial metrics tools in this round-up. Still, it has applications in IT, in particular as a way to examine whether a company got whatever financial returns it expected out of an investment in security.

"I've seen EVA in very limited exposure in infosec," says McConoughey, noting EVA usually appears in support of purchasing a security service.

To use an EVA in a practical way, one should take numbers used to generate things like total cost of ownership, ROI and the annualized loss expectancy, and compare them to actual costs, looking at factors like what it would cost to implement and support them.
Alliance Group Research's Leo prefers using EVA to something like ROI. In part, that's because firewalls and locks don't really appreciate in value after they're purchasedthey aren't those kinds of assets. Using EVA can help quantify whether security spending increases the value of a company by measuring what it's worth for a company to avoid things like security breaches. The latest CSI survey showed that the average security breach costs a company more than $350,000, which is more than double 2006's average of $168,000. While these numbers represent averages, they can help to show what costs companies incur for not using security services, giving a sense of the value of
security spending.

There's also a less proprietary EVA, earned value analysis. That's from the project management world and is used to look at budgeted cost, actual costs and the value of the work performed. That's the method used by John Linkous, who is the governance, risk and analysis evangelist at eIQNetworks.

Linkous says that both EVA and annualized loss expectancy (ALE) are more formal measures than either TCO or ROI, which he calls "a little more voodoo science." He says that the other problem with TCO and ROI is that they are often used to justify decisions, rather than inform them. While an EVA can also be fudged, he says that it's harder to do.