+ All Categories
Home > Economy & Finance > Finance for hackers

Finance for hackers

Date post: 29-Jun-2015
Category:
Upload: nick-owen
View: 412 times
Download: 4 times
Share this document with a friend
Description:
My slides from BSidesATL.
Popular Tags:
60
Finance for Hackers or How to get all the budget you deserve Nick Owen @wikidsystems
Transcript
Page 1: Finance for hackers

Finance for Hackersor

How to get all the budget you deserve

Nick Owen

@wikidsystems

Page 2: Finance for hackers

About me

Page 3: Finance for hackers

Compliance vs Security

http://www.flickr.com/photos/turbojoe/556776940/

Page 4: Finance for hackers

How much security?

http://prairiepathways.com/Postcards_from_Kansas/

Page 5: Finance for hackers

How is value created?“When you're working for a business only 2 things

matter ...the top line and bottom line. Translated into normal speak that means you need to contribute to the business in one of two ways:

> help the business make money (adding to the top line)

> help the business save money (managing the bottom line)

If you're not working to one of those two goals, you're wasting company resources.”Rafal Los

http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/Business-Relevant-Information-Security-The-Top-and-Bottom-Lines/ba-p/4823525

Page 6: Finance for hackers

Why should I care?

Because you work there.

Page 7: Finance for hackers

The SEC cares

CF Disclosure Guidance: Topic No. 2, 10/13/2011

Analyze Cyber Security Risks, including frequency and impact and if material, you might have to disclose.

Page 8: Finance for hackers

Goals

Provide infosec pros with the tools to talk to business, in particular, finance

Improve understanding of infosec's impact on business

Review some current developments on risk management

Consider Buy, Build or Rent & Acquisition

Page 9: Finance for hackers
Page 10: Finance for hackers

Which Project?

Investment $1,000,000 $10,000,000

Net Income $200,000 $2,000,000

ROI 20% 20%

Page 11: Finance for hackers

What's Investment?

Year 1 Year 2

Investment $10,000,000 $6,666,666

Net Income $200,000 $2,000,000

ROI 20% 30%

Page 12: Finance for hackers

NPV

WACC 10.00%

Revenue 100 100 100 100 100

Expenses 70 70 70 70 70

Taxes 9 9 9 9 9

NOPAT 21 21 21 21 21

NPV $79.61

Page 13: Finance for hackers

Value

How is value created?

Page 14: Finance for hackers

NPV

WACC 10.00%

Revenue 100 100 100 100 100

Expenses 70 70 70 70 70

Taxes 9 9 9 9 9

NOPAT 21 21 21 21 21

NPV $79.61

Page 15: Finance for hackers

Reduced WACC

WACC 9.00%

Revenue 100 100 100 100 100

Expenses 70 70 70 70 70

Taxes 9 9 9 9 9

NOPAT 21 21 21 21 21

NPV $81.68

Page 16: Finance for hackers

How to create value?

Improve return on existing base of capital

Invest where return is > WACC

Divest where return is < WACC

For infosec: manage the risk of a cash flow stream so the cost of capital is less than the firm's WACC.

Avoid Losses that decrease the return on existing capital.

Page 17: Finance for hackers

How is WACC calculated

Where Sigma is “Ask your CFO”

Page 18: Finance for hackers

WACC

Cost of all your sources of financing

Sum of cost of debt, equity, retained earnings, etc.

50% debt at 10% and 50% equity at 15% = 12.5%

Page 19: Finance for hackers

Return on Equity

Capital Asset Pricing Model:

Ra = Rf + beta(Rm-Rf) Rf = Risk-free Rate

Beta = relative volatility vs market

Rm = expected market return

IE: Investors want to be compensated for time-value of money and risk

Page 20: Finance for hackers

Volatility

Page 21: Finance for hackers

A CFO's Dream Earnings

Page 22: Finance for hackers

Estimating WACC

US Gov't Bonds: 1%

Credit Cards: 25%

Venture Capital: 50%

Page 23: Finance for hackers

Economic Profit

Economic profit aka EVA ™– Works in projections and in real life– Operational– Includes Balance Sheet & P&L – Introduces Off-Balance sheet/P&L

Items

Page 24: Finance for hackers

Economic Profit

WACC 10.0% 10.0% 10.0% 10.0% 10.0%

Capital Base 200 200 200 200 200

Revenue 100 100 100 100 100

Expenses 70 70 70 70 70

Taxes 9 9 9 9 9

NOPAT 21 21 21 21 21

Cap Charge 20 20 20 20 20

Econ Profit 1 1 1 1 1

Page 25: Finance for hackers

Cash MachineWACC 10.0% 10.0% 10.0% 10.0% 10.0%

Capital Base 200 221 244 278 327

Revenue 100 111 134 167 217

Expenses 70 77 85 97 114

Taxes 9 10 14 21 31

NOPAT 21 23 34 49 71

Cap Charge 20 22 24 28 33

Econ Profit 1 1 9 21 39

Page 26: Finance for hackers

A bonus plan for 5 guys

1st plan: The biggest credit card payment

2nd plan: Everybody is in the money

3rd plan: 1/3 of economic profit

Page 27: Finance for hackers

Economic Profit Bonus

Revenue 100 110 125 100

Expenses 60 60 70 70

Taxes 10 10 10 10

Capital Charge 10 10 12.5 10

Econ profit 20 30 35 10

Bonus 0 0 28.33 25.00

Plow-back 56.66 50.00

Assume $600,000 in Capital at 20%

Page 28: Finance for hackers

Reducing WACC

WACC 10.0% 9.0% 9.0% 9.0% 9.0%

Capital Base 200 200 200 200 200

Revenue 100 100 100 100 100

Expenses 70 70 70 70 70

Taxes 9 9 9 9 9

NOPAT 21 21 21 21 21

Cap Charge 20 18 18 18 18

Econ Profit 1 3 3 3 3

Page 29: Finance for hackers

Buy, Build or Rent?

Buy: $100,000 plus 18% per year ($18k)

Build: $150,000 plus 8% per year ($12k)

Rent: $25,000/year

Page 30: Finance for hackers

Rent

Buy: ($100,000 * 9% ) + $18,000 = $27,000/yr

Build: ($150,000 * 9%) + $12,000 = $25,500

Rent: $25,000

Page 31: Finance for hackers

Acquisition

“We're going to invest $75 in a company that has $100 in revenues and projected NOPAT of $21 per year for 5 years. Will there be additional IT costs or investment needed for security? Are their potential losses?”

Page 32: Finance for hackers

NPV of Project XWACC 5.00% Investment -$75

Revenue 100 100 100 100 100

Expenses 70 70 70 70 70

Taxes 9 9 9 9 9

NOPAT 21 21 21 21 21

NPV $15.16

Page 33: Finance for hackers

ALE?

Page 34: Finance for hackers

Improving Risk Management

Source: A New Approach for Managing Operational Risk

Page 35: Finance for hackers

Actuarial Methods

Internal & External Data/“Soft” data and “hard” data

Threat Landscape

Loss analysis

Frequency

Ease of attack

Control Strength

Page 36: Finance for hackers

Statistical Analysis

Page 37: Finance for hackers

ALE 2.x

Page 38: Finance for hackers

Expected & Unexpected

Page 39: Finance for hackers

Value at Risk

Russell Cameron Thomas: Meritology

Page 40: Finance for hackers

Add Expected LossWACC 5.00% Investment -$75

Revenue 100 100 100 100 100

Expenses 70 70 70 70 70

Expected Loss 2 2 2 2 2

Taxes 8.4 8.4 8.4 8.4 8.4

NOPAT 19.6 19.6 19.6 19.6 19.6

NPV $9.39

Page 41: Finance for hackers

Add Unexpected Loss?WACC 5.00% Investment -$75

Revenue 100 100 100 100 100

Expenses 70 70 70 70 70

Expected Loss 2 2 2 2 2

Unexpected Loss 0 0 0 0 20

Taxes 8.4 8.4 8.4 8.4 2.4

NOPAT 19.6 19.6 19.6 19.6 5.6

NPV -$1.06

Page 42: Finance for hackers

Annual cost of Unexpected Loss?

SoA suggests UL x WACC$20,000,000 x .05 = $1,000,000

But where to put it?

Page 43: Finance for hackers

Add Unexpected LossCapital Base 75 75 75 75 75

Revenue 100 100 100 100 100

Expenses 70 70 70 70 70

Expected Loss 2 2 2 2 2

Taxes 8.4 8.4 8.4 8.4 8.4

NOPAT 19.6 19.6 19.6 19.6 19.6

Cap Charge 3.75 3.75 3.75 3.75 3.75

Economic Profit 15.85 15.85 15.85 15.85 15.85

WACC x UL 1 1 1 1 1

Risk-Adjusted EP 14.85 14.85 14.85 14.85 14.85

Page 44: Finance for hackers

Push the curve

Difference between UL1 and UL

2

== Sleep at night

Page 45: Finance for hackers

Invest to reduce riskCapital Base 75 77 77 77 77

Revenue 100 100 100 100 100

Expenses 70 72 72 72 72

Expected Loss 5 3 3 3 3

Taxes 7.5 7.5 7.5 7.5 7.5

NOPAT 17.5 17.5 17.5 17.5 17.5

Cap Charge 7.5 7.7 7.7 7.7 7.7

Economic Profit 10 9.8 9.8 9.8 9.8

WACC x UL 5 3 3 3 3

Risk-Adj EP 5 6.8 6.8 6.8 6.8

Page 46: Finance for hackers

Revising BBR Scenario

Page 47: Finance for hackers

Vendor-in-the-middle

Page 48: Finance for hackers

Wrong WayAdded expected losses

Added Unexpected losses

Page 49: Finance for hackers

New Buy, Build, Rent

Buy: ($100,000 * 9% ) + $18,000 = $27,000/yr

Build: ($150,000 * 9%) + $12,000 = $25,500

Rent: $25,000 + Change in EL + Change in UL x WACC == probably worse

Page 50: Finance for hackers

When vendors increase riskCapital Base 75 75 75 75 75

Revenue 100 100 100 100 100

Expenses 70 69 69 69 69

Expected Loss 5 7 7 7 7

Taxes 7.5 7.2 7.2 7.2 7.2

NOPAT 17.5 16.8 16.8 16.8 16.8

Cap Charge 7.5 7.5 7.5 7.5 7.5

Econ Profit 10 9.3 9.3 9.3 9.3

WACC x UL 5 10 10 10 10

Risk-Adj EP 5 -0.7 -0.7 -0.7 -0.7

Page 51: Finance for hackers

But Nick!

My CFO has never heard of Economic Profit!

Page 52: Finance for hackers

Not so dreamy earnings

Page 53: Finance for hackers

Questions for your CFO

What's our WACC or what should I use as a target cost of capital?

If I retire an asset, can you write it off? What is the impact?

How should I estimate an annual cost of infrequent very bad events if that unexpected loss could be $X?

If I determine that our risks have dramatically increased, can I request emergency budget $Y?

Page 54: Finance for hackers

Reducing Business Risk

"No sooner is one problem solved than another surfaces—never is there just one cockroach in the kitchen."Warren Buffet

Page 55: Finance for hackers

Sony vs Cannon, Japan

Page 56: Finance for hackers

AAPL vs Sony

Page 57: Finance for hackers

InfoSec & Economic ProfitReduce invested capital – don't play

capex/opex games (if your company does...)

Reduce expenses

'Necessary but not sufficient' e.g firewalls

Non-core: move to services over software – eg. Waf, anti-virus, scanning unless it increases the threat landscape, then choose wisely.

Page 58: Finance for hackers

In sum?

Do analysis like a financial analyst

Do as deep analysis as is needed for your firm

Differentiate between average risk and infrequent, but bad risk

Be aware of threat landscape

Be ready to adjust quickly

Good companies do most things well.

Page 59: Finance for hackers

Sources/Suggestions

The Quest for Value – G. Bennett Stewart III

A New Approach for Managing Operational Risk http://www.soa.org/files/pdf/research-new-approach.pdf

Society for Information Risk Analysts: http://societyinforisk.org/

Page 60: Finance for hackers

Questions?

Nick Owen

@wikidsystems

[email protected]

404-962-8983

http://www.wikidsystems.com


Recommended