finance for hackers
DESCRIPTION
My slides from BSidesATL.TRANSCRIPT
![Page 1: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/1.jpg)
Finance for Hackersor
How to get all the budget you deserve
Nick Owen
@wikidsystems
![Page 2: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/2.jpg)
About me
![Page 3: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/3.jpg)
Compliance vs Security
http://www.flickr.com/photos/turbojoe/556776940/
![Page 4: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/4.jpg)
How much security?
http://prairiepathways.com/Postcards_from_Kansas/
![Page 5: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/5.jpg)
How is value created?“When you're working for a business only 2 things
matter ...the top line and bottom line. Translated into normal speak that means you need to contribute to the business in one of two ways:
> help the business make money (adding to the top line)
> help the business save money (managing the bottom line)
If you're not working to one of those two goals, you're wasting company resources.”Rafal Los
http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/Business-Relevant-Information-Security-The-Top-and-Bottom-Lines/ba-p/4823525
![Page 6: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/6.jpg)
Why should I care?
Because you work there.
![Page 7: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/7.jpg)
The SEC cares
CF Disclosure Guidance: Topic No. 2, 10/13/2011
Analyze Cyber Security Risks, including frequency and impact and if material, you might have to disclose.
![Page 8: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/8.jpg)
Goals
Provide infosec pros with the tools to talk to business, in particular, finance
Improve understanding of infosec's impact on business
Review some current developments on risk management
Consider Buy, Build or Rent & Acquisition
![Page 9: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/9.jpg)
![Page 10: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/10.jpg)
Which Project?
Investment $1,000,000 $10,000,000
Net Income $200,000 $2,000,000
ROI 20% 20%
![Page 11: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/11.jpg)
What's Investment?
Year 1 Year 2
Investment $10,000,000 $6,666,666
Net Income $200,000 $2,000,000
ROI 20% 30%
![Page 12: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/12.jpg)
NPV
WACC 10.00%
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Taxes 9 9 9 9 9
NOPAT 21 21 21 21 21
NPV $79.61
![Page 13: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/13.jpg)
Value
How is value created?
![Page 14: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/14.jpg)
NPV
WACC 10.00%
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Taxes 9 9 9 9 9
NOPAT 21 21 21 21 21
NPV $79.61
![Page 15: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/15.jpg)
Reduced WACC
WACC 9.00%
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Taxes 9 9 9 9 9
NOPAT 21 21 21 21 21
NPV $81.68
![Page 16: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/16.jpg)
How to create value?
Improve return on existing base of capital
Invest where return is > WACC
Divest where return is < WACC
For infosec: manage the risk of a cash flow stream so the cost of capital is less than the firm's WACC.
Avoid Losses that decrease the return on existing capital.
![Page 17: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/17.jpg)
How is WACC calculated
Where Sigma is “Ask your CFO”
![Page 18: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/18.jpg)
WACC
Cost of all your sources of financing
Sum of cost of debt, equity, retained earnings, etc.
50% debt at 10% and 50% equity at 15% = 12.5%
![Page 19: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/19.jpg)
Return on Equity
Capital Asset Pricing Model:
Ra = Rf + beta(Rm-Rf) Rf = Risk-free Rate
Beta = relative volatility vs market
Rm = expected market return
IE: Investors want to be compensated for time-value of money and risk
![Page 20: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/20.jpg)
Volatility
![Page 21: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/21.jpg)
A CFO's Dream Earnings
![Page 22: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/22.jpg)
Estimating WACC
US Gov't Bonds: 1%
Credit Cards: 25%
Venture Capital: 50%
![Page 23: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/23.jpg)
Economic Profit
Economic profit aka EVA ™– Works in projections and in real life– Operational– Includes Balance Sheet & P&L – Introduces Off-Balance sheet/P&L
Items
![Page 24: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/24.jpg)
Economic Profit
WACC 10.0% 10.0% 10.0% 10.0% 10.0%
Capital Base 200 200 200 200 200
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Taxes 9 9 9 9 9
NOPAT 21 21 21 21 21
Cap Charge 20 20 20 20 20
Econ Profit 1 1 1 1 1
![Page 25: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/25.jpg)
Cash MachineWACC 10.0% 10.0% 10.0% 10.0% 10.0%
Capital Base 200 221 244 278 327
Revenue 100 111 134 167 217
Expenses 70 77 85 97 114
Taxes 9 10 14 21 31
NOPAT 21 23 34 49 71
Cap Charge 20 22 24 28 33
Econ Profit 1 1 9 21 39
![Page 26: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/26.jpg)
A bonus plan for 5 guys
1st plan: The biggest credit card payment
2nd plan: Everybody is in the money
3rd plan: 1/3 of economic profit
![Page 27: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/27.jpg)
Economic Profit Bonus
Revenue 100 110 125 100
Expenses 60 60 70 70
Taxes 10 10 10 10
Capital Charge 10 10 12.5 10
Econ profit 20 30 35 10
Bonus 0 0 28.33 25.00
Plow-back 56.66 50.00
Assume $600,000 in Capital at 20%
![Page 28: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/28.jpg)
Reducing WACC
WACC 10.0% 9.0% 9.0% 9.0% 9.0%
Capital Base 200 200 200 200 200
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Taxes 9 9 9 9 9
NOPAT 21 21 21 21 21
Cap Charge 20 18 18 18 18
Econ Profit 1 3 3 3 3
![Page 29: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/29.jpg)
Buy, Build or Rent?
Buy: $100,000 plus 18% per year ($18k)
Build: $150,000 plus 8% per year ($12k)
Rent: $25,000/year
![Page 30: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/30.jpg)
Rent
Buy: ($100,000 * 9% ) + $18,000 = $27,000/yr
Build: ($150,000 * 9%) + $12,000 = $25,500
Rent: $25,000
![Page 31: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/31.jpg)
Acquisition
“We're going to invest $75 in a company that has $100 in revenues and projected NOPAT of $21 per year for 5 years. Will there be additional IT costs or investment needed for security? Are their potential losses?”
![Page 32: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/32.jpg)
NPV of Project XWACC 5.00% Investment -$75
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Taxes 9 9 9 9 9
NOPAT 21 21 21 21 21
NPV $15.16
![Page 33: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/33.jpg)
ALE?
![Page 34: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/34.jpg)
Improving Risk Management
Source: A New Approach for Managing Operational Risk
![Page 35: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/35.jpg)
Actuarial Methods
Internal & External Data/“Soft” data and “hard” data
Threat Landscape
Loss analysis
Frequency
Ease of attack
Control Strength
![Page 36: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/36.jpg)
Statistical Analysis
![Page 37: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/37.jpg)
ALE 2.x
![Page 38: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/38.jpg)
Expected & Unexpected
![Page 39: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/39.jpg)
Value at Risk
Russell Cameron Thomas: Meritology
![Page 40: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/40.jpg)
Add Expected LossWACC 5.00% Investment -$75
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Expected Loss 2 2 2 2 2
Taxes 8.4 8.4 8.4 8.4 8.4
NOPAT 19.6 19.6 19.6 19.6 19.6
NPV $9.39
![Page 41: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/41.jpg)
Add Unexpected Loss?WACC 5.00% Investment -$75
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Expected Loss 2 2 2 2 2
Unexpected Loss 0 0 0 0 20
Taxes 8.4 8.4 8.4 8.4 2.4
NOPAT 19.6 19.6 19.6 19.6 5.6
NPV -$1.06
![Page 42: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/42.jpg)
Annual cost of Unexpected Loss?
SoA suggests UL x WACC$20,000,000 x .05 = $1,000,000
But where to put it?
![Page 43: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/43.jpg)
Add Unexpected LossCapital Base 75 75 75 75 75
Revenue 100 100 100 100 100
Expenses 70 70 70 70 70
Expected Loss 2 2 2 2 2
Taxes 8.4 8.4 8.4 8.4 8.4
NOPAT 19.6 19.6 19.6 19.6 19.6
Cap Charge 3.75 3.75 3.75 3.75 3.75
Economic Profit 15.85 15.85 15.85 15.85 15.85
WACC x UL 1 1 1 1 1
Risk-Adjusted EP 14.85 14.85 14.85 14.85 14.85
![Page 44: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/44.jpg)
Push the curve
Difference between UL1 and UL
2
== Sleep at night
![Page 45: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/45.jpg)
Invest to reduce riskCapital Base 75 77 77 77 77
Revenue 100 100 100 100 100
Expenses 70 72 72 72 72
Expected Loss 5 3 3 3 3
Taxes 7.5 7.5 7.5 7.5 7.5
NOPAT 17.5 17.5 17.5 17.5 17.5
Cap Charge 7.5 7.7 7.7 7.7 7.7
Economic Profit 10 9.8 9.8 9.8 9.8
WACC x UL 5 3 3 3 3
Risk-Adj EP 5 6.8 6.8 6.8 6.8
![Page 46: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/46.jpg)
Revising BBR Scenario
![Page 47: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/47.jpg)
Vendor-in-the-middle
![Page 48: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/48.jpg)
Wrong WayAdded expected losses
Added Unexpected losses
![Page 49: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/49.jpg)
New Buy, Build, Rent
Buy: ($100,000 * 9% ) + $18,000 = $27,000/yr
Build: ($150,000 * 9%) + $12,000 = $25,500
Rent: $25,000 + Change in EL + Change in UL x WACC == probably worse
![Page 50: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/50.jpg)
When vendors increase riskCapital Base 75 75 75 75 75
Revenue 100 100 100 100 100
Expenses 70 69 69 69 69
Expected Loss 5 7 7 7 7
Taxes 7.5 7.2 7.2 7.2 7.2
NOPAT 17.5 16.8 16.8 16.8 16.8
Cap Charge 7.5 7.5 7.5 7.5 7.5
Econ Profit 10 9.3 9.3 9.3 9.3
WACC x UL 5 10 10 10 10
Risk-Adj EP 5 -0.7 -0.7 -0.7 -0.7
![Page 51: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/51.jpg)
But Nick!
My CFO has never heard of Economic Profit!
![Page 52: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/52.jpg)
Not so dreamy earnings
![Page 53: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/53.jpg)
Questions for your CFO
What's our WACC or what should I use as a target cost of capital?
If I retire an asset, can you write it off? What is the impact?
How should I estimate an annual cost of infrequent very bad events if that unexpected loss could be $X?
If I determine that our risks have dramatically increased, can I request emergency budget $Y?
![Page 54: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/54.jpg)
Reducing Business Risk
"No sooner is one problem solved than another surfaces—never is there just one cockroach in the kitchen."Warren Buffet
![Page 55: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/55.jpg)
Sony vs Cannon, Japan
![Page 56: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/56.jpg)
AAPL vs Sony
![Page 57: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/57.jpg)
InfoSec & Economic ProfitReduce invested capital – don't play
capex/opex games (if your company does...)
Reduce expenses
'Necessary but not sufficient' e.g firewalls
Non-core: move to services over software – eg. Waf, anti-virus, scanning unless it increases the threat landscape, then choose wisely.
![Page 58: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/58.jpg)
In sum?
Do analysis like a financial analyst
Do as deep analysis as is needed for your firm
Differentiate between average risk and infrequent, but bad risk
Be aware of threat landscape
Be ready to adjust quickly
Good companies do most things well.
![Page 59: Finance for hackers](https://reader035.vdocument.in/reader035/viewer/2022062419/5590f0491a28abf6378b4629/html5/thumbnails/59.jpg)
Sources/Suggestions
The Quest for Value – G. Bennett Stewart III
A New Approach for Managing Operational Risk http://www.soa.org/files/pdf/research-new-approach.pdf
Society for Information Risk Analysts: http://societyinforisk.org/