In an IT organization, recent system penetration testing revealed a system security breach of customer data vulnerabilities including error messages information that can reveal system back-doors for hackers. A breach of customer data will create potentially several unplanned costs such as: (1) forensic examination; (2) notification of customers and third parties; (3) increased call center costs; (4) public relations costs; (5) legal defense and potential settlements; and, (6) federal or state fines, penalties, and potential required future audits.

The Director of Security believes there is only a 5% chance over the next three years, that the "error messages" back-door would lead to a breach of customer data. However, if a breach of customer data results from this back-door vulnerability, the 10-50-90 range of impact to the company as measured in net present value is -$31.3MM, -68.3MM, and -125.2MM respectively.

The IT organization has suggested a solution to resolving this back-door vulnerability that would cost $10M in capital ($7MM in 2024 and $3MM in 2025) and about $400,000 in expense spread evenly between 2024 and 2025. The Director of Security believes this would reduce the chance of a breach of customer data to as little as 1% over the next three years. Unfortunately, the range of impacts given the breach occurs remains the same. Adjusting for the cost of the intervention, the 10-50-90 range of impact to the company as measured in net present value is -$38.7MM, -$76.5MM, and -$134.5MM. If the risk does not occur and the IT organization invested in the solution, the net present value of that scenario is -$6.8MM. The companys risk-free discount rate is 7%.

1. What is the expected NPV impact (expected risk liability) before implementing the IT solution?

2. What is the expected NPV impact (expected risk liability) after implementing the IT solution?

3. What is the present value of the IT solution investment?

4. What is the investment productivity of pursuing the IT solution?

5. Should they invest in the IT solution? If yes, why?

6. If the before investment probability of risk occurrence increases to 15%, should they pursue the IT solution? (Assume the after investment probability remains at 1%.)