Adding value to business performance through cost benefit analyses of information security investments : MBA-thesis in marketing

Cardholm, Lucas

January 2007

<p>The purpose of this thesis is to present an approach for good practice with regards to using cost benefit analysis (CBA) as a value-adding activity in the information security investment process for large enterprises. The approach is supported by empirical data.</p><p>From a MIO model perspective, this report is focused on the phase of strategic choices regarding organization, i.e. trying to find optimal investments for efficient operations. To assess, improve and monitor the operational effectiveness and management’s internal control environment is essential in today’s business execution. Executive management and boards are increasingly looking for an information security governance framework that encompasses information technology and information security: a single framework through which all information assets and activities within the organisation can be governed, to provide the optimum capability for meeting the organisation’s objectives, in terms of functionality and security.</p><p>The investment decision is one of the most visible and controversial key decisions in an enterprise. Some projects are approved, others are bounced, and the rest enter the organisational equivalent of suspended animation with the dreaded request from the decision makers to “redo the business case” or “provide more information.”</p><p>The concept of cost benefit analyses of information security helps management to make decisions on which initiatives to fund with how much, as there needs to be an approach for measuring and comparing different alternatives and how they meet business objectives of the enterprise. Non-financial metrics are identified using different approaches: governance effectiveness, risk analysis, business case analysis or game theory. The financial performance metrics are driven by the main value disciplines of an enterprise. These lead to the use of formulas enabling the measurement of asset utilisation, profit or growth: ROI (ROIC), NPV, IRR (MIRR), FCF, DCF, Payback Period, TCO, TBO, EVA, and ROSI.</p><p>The author shows research in the field of good corporate governance and the investment approval process, as well as case studies from two multinational enterprises. The case from Motorola demonstrates how IT governance principles are equally applicable to information security governance, while the case from Ericsson demonstrates how an information security investment decision can be supported by performing a cost benefit analysis using traditional marketing approaches of business case analysis (BCA) and standard financial calculations.</p><p>The suggested good practice presented in this thesis is summarised in four steps:</p><p>1. Understand main rationale for the security investment</p><p>2. Identify stakeholders and strategic goals</p><p>3. Perform Cost Benefit Analysis (non-financial and financial performance metrics)</p><p>4. Validate that the results are relevant to stakeholders and strategic goals</p><p>DISCLAIMER</p><p>This report is intended for academic training only and should not be used for any other purposes. The contents are not to be considered legal or otherwise professional advice. No liability is taken, whatsoever, by the author.</p>

cost benefit analysis

information security investment

TBO

EVA

ROSI

business performance

business case

information technology

ROI (ROIC)

NPV

IRR (MIRR)

FCF

DCF

Payback Period

TCO

Business and economics

Ekonomi

Adding value to business performance through cost benefit analyses of information security investments : MBA-thesis in marketing

Cardholm, Lucas

January 2007

The purpose of this thesis is to present an approach for good practice with regards to using cost benefit analysis (CBA) as a value-adding activity in the information security investment process for large enterprises. The approach is supported by empirical data. From a MIO model perspective, this report is focused on the phase of strategic choices regarding organization, i.e. trying to find optimal investments for efficient operations. To assess, improve and monitor the operational effectiveness and management’s internal control environment is essential in today’s business execution. Executive management and boards are increasingly looking for an information security governance framework that encompasses information technology and information security: a single framework through which all information assets and activities within the organisation can be governed, to provide the optimum capability for meeting the organisation’s objectives, in terms of functionality and security. The investment decision is one of the most visible and controversial key decisions in an enterprise. Some projects are approved, others are bounced, and the rest enter the organisational equivalent of suspended animation with the dreaded request from the decision makers to “redo the business case” or “provide more information.” The concept of cost benefit analyses of information security helps management to make decisions on which initiatives to fund with how much, as there needs to be an approach for measuring and comparing different alternatives and how they meet business objectives of the enterprise. Non-financial metrics are identified using different approaches: governance effectiveness, risk analysis, business case analysis or game theory. The financial performance metrics are driven by the main value disciplines of an enterprise. These lead to the use of formulas enabling the measurement of asset utilisation, profit or growth: ROI (ROIC), NPV, IRR (MIRR), FCF, DCF, Payback Period, TCO, TBO, EVA, and ROSI. The author shows research in the field of good corporate governance and the investment approval process, as well as case studies from two multinational enterprises. The case from Motorola demonstrates how IT governance principles are equally applicable to information security governance, while the case from Ericsson demonstrates how an information security investment decision can be supported by performing a cost benefit analysis using traditional marketing approaches of business case analysis (BCA) and standard financial calculations. The suggested good practice presented in this thesis is summarised in four steps: 1. Understand main rationale for the security investment 2. Identify stakeholders and strategic goals 3. Perform Cost Benefit Analysis (non-financial and financial performance metrics) 4. Validate that the results are relevant to stakeholders and strategic goals DISCLAIMER This report is intended for academic training only and should not be used for any other purposes. The contents are not to be considered legal or otherwise professional advice. No liability is taken, whatsoever, by the author.

cost benefit analysis

information security investment

TBO

EVA

ROSI

business performance

business case

information technology

ROI (ROIC)

NPV

IRR (MIRR)

FCF

DCF

Payback Period

TCO

Business and economics

Ekonomi

Étude expérimentale du couplage entre croissance bactérienne et transport d'un polluant organique en milieu poreux / Experimental study of coupling between bacterial growth and transport of an organic pollutant in a porous medium

Koné, Tiangoua

18 May 2012

Un dispositif expérimental a été développé pour l'étude du couplage de la croissance d'un biofilm de Shewanella oneidensis MR-1 et du transport conservatif de l'Erioglaucine. La croissance du biofilm a été suivie par mesure de conductivité hydraulique et par acquisition d'images à l'aide d'une caméra digitale. La fraction volumique du biofilm a été caractérisée par des essais d'élution d'une macromolécule (i.e. : le Bleu Dextran) par analogie avec les méthodes de chromatographie d'exclusion ou de filtration sur gel. Ainsi au bout de 29 jours, un biofilm quasi-homogène sur l'ensemble de la cellule d'écoulement (0,1×0,1×0,05m3) et équivalent à 50% du volume poral a été formé. L'influence de la croissance du biofilm sur les propriétés de transport du milieu a été évaluée. Les essais de transport conservatif de l'Erioglaucine effectués pour deux vitesses d'injection et à deux stades de croissance du biofilm (17 et 29 jours) ont montré l'influence d'hétérogénéités locales sur les paramètres de transport (i.e. : la porosité, la perméabilité et la dispersion hydrodynamique). Ainsi après 17 jours de culture quand le biofilm occupe partiellement le milieu poreux (moitié inférieure) un modèle à deux équations ou double milieu permet de caractériser le transport conservatif. A contrario après 29 jours de culture où le biofilm occupe tout le milieu poreux, un comportement fickien classique caractérise le transport. Les valeurs théoriques du coefficient de dispersion longitudinale prédites par la méthode de prise de moyenne volumique ont permis de reproduire de manière satisfaisante le comportement observé expérimentalement / An experimental device was performed for the study of coupling the growth of a Shewanella oneidensis MR-1 bacterial biofilm and the non reactive transport of Brilliant Blue FCF. The biofilm growth was monitored by hydraulic conductivity measurements and by image acquisition with a digital camera. The biofilm volume fraction was estimated through tracer experiments with a macromolecular tracer (i.e., Dextran Blue) as in size-exclusion chromatography or gel filtration chromatography. Then after 29 days of bacterial culture a quasi-homogenous biofilm was grown in the whole flow cell (0,1×0,1×0,05m3) occupying about 50% of void space volume. The influence of biofilm growth on porous media transport properties was evaluated. Conservative tracer experiments with Brilliant Blue FCF run at two hydrodynamic conditions and at two growth steps of biofilm (17 and 29 days) showed the influence of local heterogeneities on transport parameters (i.e., porosity, permeability and hydrodynamic dispersion). Then at 17 days of growth when the biofilm partially covers the porous medium (bottom half of the flow cell) a two-equation model or double-layer model was suitable to characterize the conservative transport. A contrario after 29 days of growth, when the biofilm covers the whole porous medium, a classical fickian model was convenient. Numerical values of longitudinal dispersion coefficient from volume averaging well fitted experimental results

Biofilm

Shawenella oneidensis

Milieu Poreux

Transport Conservatif

Erioglaucine

Bleu Dextran

Prise de moyenne volumique

Biofilm

Shawenella oneidensis

Porous media

Conservative Transport

Brilliant Blue FCF

Dextran Blue

Volume Averaging

660.284 2

高階經理人薪酬與公司違約風險之研究-以台灣上市公司為例探討

胡營欽, Hu, Ying Ching

Unknown Date

過去研究多將焦點集中在增加高階經理人薪酬，將可促使高階經理人為公司股東的權益努力，為此探討提昇股東權益包含高階經理人獎酬與公司績效間的關聯，卻忽略了其與風險間的關係。高階經理人員可能因為獎酬的激勵，從事對公司有利且風險較低的計畫，也可能會為了提高自身的權利，將風險轉嫁給公司，因此激發出探討高階經理人員獎酬與公司風險間的關係的研究動機。 本研究以KMV模型之預期違約率作為公司風險之參數，探討高階經理人之 薪酬、自由現金流量、KMV信用風險之關係，同時瞭解公司規模是否影響高階 經理人薪酬、自由現金流量及公司績效與公司KMV信用風險間的關係。 研究結果顯示，公司高階經理人的薪酬與公司違約風險呈負相關，即高階經理人薪酬的提高，確能降低公司的違約風險，但此現象僅在大規模公司才能發現。此外，就自由現金流量而言，小規模公司之自由現金流量愈多，存在較高的風險，惟有提高公司營運績效，方能減緩公司風險的承擔。另一方面，對於高階經理人薪酬的提升，雖然在小規模公司並沒有效果，但係有助減緩自由現金流量帶來的負向衝擊。最後，前述小結僅存在於小規模公司群體，這可能是因為，大公司擁有較高的政治成本，因此為了避免社會的關注，大公司較小公司有較好的公司治理機制，因此管理當局較不可能基於自利的動機來影響公司的風險。 / Many past researches focused on senior manager will be able to work hard for raising shareholder’s equity because of higher compensation. Many researches of raising stakeholder’s equity explored the relation between senior manager compensation and financial performance, but ignored the relation with credit risk of company. Senior managers maybe perform lower or higher risk project for themselves benefit due to some higher compensation motivation. Thus this researching will refocus on exploring the relation between senior manager compensation and company credit risk. This study will discuss the relation among senior manager compensation, FCF and KMV company credit risk by EDF of KMV model as a parameter of company credit risk. And to understand the scale of company weather influence the relation among senior manager compensation, FCF and KMV company credit risk? The results of this research show that the senior manager compensation is negatively correlated with company credit default risk. On the other hand, higher senior manager compensation will reduce the risk of company credit default, but this phenomenon can be found only in lager companies. In addition, as far as small company's FCF, the more FCF, the more there is a higher risk. Increase company's operating performance, the company credit risk can be slow down. On the other hand, in small company there is no effect on raising senior manager compensation, but it will help mitigate the negative impact of FCF. Finally, the foregoing summary is just only in small company groups, may be because larger companies have higher political cost, so in order to avoid the concern of society, larger companies have better corporate governance than small companies, thus senior manager will not be able to influence the company’s credit risk for their self-interested motivation.

高階經理人之薪酬

自由現金流量

KMV信用風險

預期違約率

senior manager compensation

FCF

KMV

EDF