Encryption ROI: You Can Sometimes Calculate A True Return On Investment For Encryption….

…but I really wouldn’t recommend it.  For one, it’s highly illegal.  But, as far as I can see, it’s the only way you can really calculate a return on investment (ROI) when it comes to deploying and installing encryption on laptop computers.  Other reasons for not engaging in it: it’s illegal; you have to deal with malware; you’re scum if you do this; and it’s illegal.  Did I mention it’s illegal?

First, Define ROI

ROI.  These three simple letters have an unusual impact in business decision-making.  There’s no shortage of efficiency experts in the business world, and everyone seems to be in agreement: you can only maximize profitability if you maximize efficiency.  Since a business concern’s objective is to make money, everyone is looking to maximize their return on investment on every aspect of their business.  “What’s the ROI on that particular proposal?” they ask.

The thing is, ROI only applies to assets, which is why sometimes ROI is known as ROA, return on assets.  One really shouldn’t ask for an ROI for something that’s not asset; it just doesn’t make sense.  For example, your janitors are not assets, no matter how well they maintain your offices, because they don’t make you money.  That is, they’re not an asset in the accounting sense and thus ROI/ROA cannot be calculated for them.

This is also true for office furniture, the kitchen utilities in the break room, the shredder in the corner, and the toner cartridge in your printer, among other things.

Likewise, encryption software is also not an asset, at least not in the accounting sense.  And yet when IT departments try to justify their need for the use of laptop encryption and other types of data security solutions, one of the things they are tasked with is to figure out the ROI.  If the “ROI” is not up to snuff, the proposals for certain types of information solutions are quashed.

I repeat, encryption cannot give you an ROI because it’s not a money maker.  There’s always exceptions, of course.


It sounds like a non-sequitur, but bear with me: according to ibtimes.co.uk, a band of hackers made millions of dollars in 100 days using encryption (note: a little note on the math further below).  Talk about ROI, eh?

How did they do this?  The hackers distribute a particular brand of malware known as Cryptolocker.  The malware gets downloaded to a person’s computer and encrypts the hard drive.  It will only be unencrypted if the owner of the computer pays a ransom.  The cost?  $300.  If the ransom is not paid within 72 hours, the encryption key is deleted, making impossible to recover the data.  Ever.

Well, not ever; that’s a little dramatic.  But it’s going to take a while, ranging anywhere from centuries to millennia, if the hackers did it right.

Of course, not all pay the ransom.  According to estimates, a minimum of 0.4% of people hit by the malware do pony up the cash.  Another estimate puts the number of affected machines between 200,000 and 250,000.  Based on these figures, the folk over at ibtimes.com conservatively estimate that the hacker crew made $3,000,000 since the malware’s release, in September of this year.

(Well, they initially calculated $3 million based on their estimate parameters.  I see that it’s been changed to $300,000, which is the correct figure…)

Anyhow, let’s return to the subject at hand, shall we?  Can we calculate an ROI in this case?  Yes.  The encryption is an instrumental part for convincing people to send in money.  You could say it’s the enforcing element.  The ROI is the money the hackers made ($300 k) divided by how much it has cost the hackers to run their operations.

But, aside from pulling off a scam like the above, you’re going to have problems calculating an ROI for encryption.  Honest businesses can only calculate an ROI if their laptops are stolen.  Even then, it’s a theoretical exercise, since the use of encryption tends to provide safe harbor from federal and state laws that govern sensitive private data.

Of course, when a laptop is not stolen, the ROI of encryption is zero (as it should be, seeing how encryption is not an asset in the accounting sense).

Related Articles and Sites:


Comments (0)

Let us know what you think