DETROIT – Software assurance is a national security priority. That is because a computer enabled national infrastructure is as reliable as the code that underlies it. Thus, common sense alone ought to dictate that any valid way to increase confidence in the security and reliability of America’s software ought to be on the top of everybody’s shopping list.

Unfortunately, the problem with any assurance process is that, if it is working right the main benefit is that absolutely nothing happens. So, a process that drives up cost without any documentable return is a tough sell, no matter how seemingly practical the overall principle might be.

The ability to provide that answer is contingent on finding a suitable method for valuation, one which will allow managers to make ?intelligent? decisions about the most economically justifiable level of assurance. There are a number of general models for assessing the value of an IT investment. It is our belief that elements of some, or all of these might be used to build a business case for determining how much software assurance investment is justified for any given situation.

Therefore, the purpose of this paper is to summarize each of those models and to provide a brief discussion of their common features. What follows is a presentation of the fourteen most commonly cited models for IT valuation. This list was gleaned from an exhaustive review of the literature. Although it is comprehensive, it does not encompass every model out there, since there are a number of approaches that are strictly proprietary.

These are not presented. The general models for valuation can be factored into four categories:

Investment Oriented Models

Cost Oriented Models

Environmental/Contextual Oriented Models

Quantitative Estimation Models

Investment Oriented Models

Total Value of Opportunity (TVO) – Gartner

TVO is a standard metrics-based approach. Its aim is to judge the potential operational performance of a given IT investment over time. It is an invention of the Gartner group. It centers on the measurement based assessment of risk over time and the flexibility created by a given investment option (flexibility is defined by Gartner as the ability to create business value out of a particular change to the organization). TVO is built around four factors.

Cost/benefit analysis

Future uncertainty

Organization diagnostics

Best practice in measurement

Total Economic Impact (TEI) ? Giga

Like TVO, Total Economic Impact (TEI) is meant to integrate risk and “flexibility? into a decision support model for IT investment. It is a proprietary methodology of the Giga Group. It allows the organization to factor ?intangible? benefits into the equation during the cost-benefit analysis. TEI is based on the assessment of three, ?key? areas of organizational functioning.

Flexibility

Cost (as TCO)

Benefits

Once these factors are quantified, the organization seeks to determine the risks associated with each of them. The risk assessment comes in the form of an uncertainty, or likelihood estimate.

TEI is one of the softer kinds of value estimation methodologies. As such, it seems to be most useful if the aim is to align a technology investment with a business goal, or to communicate the overall value proposition of an initiative. Its primary intent is to underwrite sound business decisions about a given set of alternatives. It does that by communicating each option?s full value in business terms. Thus, TEI can be used to justify and relate a proposed direction to any other possible directions. That creates a portfolio view of the entire IT function. Since understanding the overall impacts is obviously one of the primary goals of any software assurance valuation process, this approach is so very attractive.

Rapid Economic Justification (REJ) ? Microsoft

In order for it to be acceptable, the cost of software assurance activity has to be justifiable in hard economic terms. But more importantly that estimate has to be available when needed. The problem is that most of the valuation techniques that we are discussing require long periods of data collection in order to produce valid results.

REJ focuses on balancing the economic performance of an IT investment, against the optimal resources and capital that will be needed to set it up and run it. REJ involves the tailoring of a business assessment road map, which identifies a project’s key stakeholders, critical success factors and key performance indicators. The latter category is composed of just those indicators that might be needed to characterize business value. The Rapid Economic Justification process follows five logical steps:

Understand the Business Value

Understand the Solution

Understand the Improvements

Understand the Risks:

Understand the Financial Metrics

Cost Oriented Models

Economic Value Added (EVA) – Stern Stewart & Co

EVA approaches IT investment as a value proposition rather than as a cost. That is, EVA attempts to characterize all of the ways a prospective investment might leverage organizational effectiveness. It approaches that question by looking at a prospective function in terms of the internal cost saving, as compared to the cost of obtaining the same function through the external market rate (e.g., the cost if the service were provided by an outside vendor). Once the comparative market value of obtaining the function is determined, EVA provides a quantification of the net operating benefit of the prospective investment.

Approached as a tradeoff process between total investment cost and potential profit EVA is a good way to gauge the organizational level impact of any process such as assurance, Beyond the general cost/benefit view however, EVA is really only useful when it leads into the use of another more precise valuation methodology.

Economic Value Sourced (EVS) ? Cawly ? Meta Group

The investment in software assurance is always speculative. That is because the risk and reward structure is hard to quantify, when the aim is prevention. In essence then, many of the economic benefits of an investment in software assurance are indirect, abstract, or qualitative. For instance, how do you quantitatively measure the increased customer satisfaction of a proven secure web-based bill paying system?

EVS assumes that IT investment decisions can be valued based on three strategic aims. These are reduction of risk, increase in productivity or decrease in cycle time. The approach to characterizing these three objectives is based on traditional ROI estimates. EVS then factors-in standard risk and timing considerations such as flexibility (e.g., how much flexibility does the investment create for the organization at a given point in time?). EVS is an attractive way to justify a software assurance investment. That is because it allows for considerations outside of traditional economic rate of return.

Total Cost of Ownership (TCO) ? Gartner

Total cost of ownership (TCO) is one of the older, and more traditional, cost based valuation approaches. It assesses an investment based strictly on its total direct and indirect costs. TCO aligns those costs with ongoing business performance in order to evaluate total value. Nevertheless, TCO does not assess risk or provide a means to ensure alignment with business goals.

When incorporated with a classic financial analysis method, such as ROI, TCO can provide a true cost basis for determining the economic value of any given investment TCO takes a holistic view of total organizational cost over time. Ideally, TCO will let the manager calculate a projected rate of return on any investment based on the initial capital outlay, as well as all of the aspects of the continuing cost of operation and maintenance. That cost estimate typically includes such