Follow us on LinkedIn and Twitter

Calculating the Real Cost of Security Projects – Part 1

Posted on 01/20/2015 by Patrick Botz

Information security is first and foremost a business issue. As IT professionals, we need to analyze the merits of any security project based on how much the investment will benefit the organization.

To perform this analysis, you need to determine the size of the investment — in terms of monetary cost — and the amount of time for the investment to pay for itself (ROI.)  ROI is also a useful way to compare different solutions that solve a common problem.

The Basics

A security project may include the investment of human resources, the purchase of technology, or both. The investment of human resources is measured in time and then converted to monetary cost by estimating the cost of the resources used. I’ll use “dollars” for the monetary unit in this article.

The investment of purchasing technology is measured in out-of-pocket costs plus the human resources required to implement and maintain it.

Any worthwhile security project is intended to solve one or more security problems. The problem may be that some aspect of managing security costs too much. Or it could be that the level of risk your organization accepts, given your current investment in security management, remains too high. Whatever the objectives, in order to make a solid business decision for choosing any solution, you have to estimate the cost of three different factors:

  1. Current cost of managing the aspect of security being addressed by the project
  2. Overall cost of the proposed solution or solutions
  3. Return on investment (ROI) for each of the proposed solutions.

I’ve spent a lot of time understanding the real cost of managing passwords so I’ll use it as an example to show you how to calculate these costs of any security project. While we will discuss specific costs associated with password management, there are similar component costs and the same techniques for calculating those costs for any security project.

In this post, we’ll discuss the first of these three items.  I’ll cover the second and third items in a subsequent post.

Analyzing the Project

You are a system administrator for your organization.

Your organization seems to spend a lot of time and money on helping users manage their passwords.  We recently did a study and determined that 40 percent of the calls to the help desk involves helping end users log in to a system or an application.  Average wait times for help desk calls are increasing. Hiring additional help desk staff is one solution, but reducing the amount of calls to the help desk is another potential solution.

Your boss has asked you to determine if there is any way to reduce the calls to the help desk.  You have done some research and learned that there are several different password management products that may help. Also, there is a service provided by Botz & Associates (go figure!) called SSO stat! that claims to help you eliminate passwords.

Both of these approaches (automated password management and password elimination) should reduce the number of calls to the help desk. Password management products do this by shifting the responsibility for remembering passwords from the end user to a product managed by the IT department (i.e. you or someone hired to own/manage the application.) The password elimination approach reduces calls to the help desk by reducing the physical number of passwords that need to be managed, which in turn will also reduce the number of calls to the help desk.

You are leaning towards the password elimination approach (naturally), but you need to provide the business justification for this approach.

Analyzing Current Costs

The first thing you need to do is determine how much money your organization currently spends to manage passwords. Obviously, your organization does not explicitly spend money to manage passwords. But password management does cost your organization in terms of the time being spent by the organization as a whole to manage passwords.  To determine the monetary impact, you estimate the total amount of time spent and then apply the cost to the organization to employ those resources for that amount of time.

The dollar amount represents an opportunity cost for the organization. That is, you lose the opportunity to do something more productive with your resources because part of their time is required to manage passwords.

Opportunity cost is a real cost to your organization. However it doesn’t represent dollars that can be spent elsewhere in the organization. It represents an opportunity to improve the productivity of the resources you currently have and thus improve the organization’s return on that investment.

Converting Time to Cost

Password management is a task in which virtually everyone in your organization will be involved.  End users spend time selecting and changing their passwords, trying to remember their passwords, typing their passwords, and periodically spend time working the help desk to get logged in, or to reset or change their passwords. Help desk personnel and/or system administrators spend time initializing passwords, working with end users to help them log in, investigating log in problems, and resetting or changing passwords.

How do you turn all of this time spent by various individuals into a dollar cost for the organization? And how do you do this without spending a ton of time and money on a major research study?

First, estimate the amount of time the “average” end user spends on changing passwords in a year. Then estimate the amount of time the same average end user spends with the help desk sorting out log in issues.  Then add these two together. That gives you a rough estimate of time spent by each end user.

Your accounting department may be able to give you a number called the “burden rate” for your organization’s end users. This number represents the cost to employ a single person for a year. It includes not only their salary, but all the other costs including taxes, benefits, office space, phone, computer, etc.  The average burden rate is essentially the total cost of employing all employees divided by the total number of employees.  This value provides the most accurate estimate for tasks that are performed by virtually all employees.

Second, estimate the total amount of yearly time spent by help desk and system administrator personnel on tasks related to setting and resetting passwords, plus the time spent on the phone helping end users, plus the time investigating password management issues. These tasks may all be done by the help desk, by system administrators or both. I estimate the amount of time spent by help desk and system administrator personnel separately primarily because these resources typically have a higher than average burden rate.

Burden Rate Estimates

It might be difficult for you to get the average burden rate or the burden rate for specific job types. If the accounting department doesn’t want to give this number out, use your own salary as a guide. The burden rate for most organizations is somewhere between 1.5 and 1.75 times salary.  Apply a number in this range to your salary and you have your burden rate. You’ll have to make some relatively uninformed guesses about where your salary ranks in the organization. If you are new, you may be paid less than most people performing your job. Depending on the exact job requirements, people working the help desk may have a higher or lower burden rate.  Your boss may help you make some of these guesses.

In the absence of burden rates supplied by the accounting department, I always try to err on the side of underestimating the cost of human resources. This leads to the most conservative estimate of password management costs. Once you have numbers to use in calculating your estimate, you can always tweak them and redo the calculation.

To calculate the cost of time spent managing passwords by your organization, convert the average burden rate per year to the unit of time in your time estimates.  For example, if your time estimate for total time spent managing passwords is in “minutes per year per person,” convert the burden rate from dollars per person per year, to dollars per person per minute.  Accountants use an estimate of 2000 work hours per year per person.  To convert burden rate from dollars per person per year to dollars per minute per year, multiply 2000 (hours) by 60 (minutes) and divide the burden rate by this result.  If the average burden rate per year is $50,000, then the average burden rate per minute is $50,000 / (2000 X 60) — approximately $0.42.

In our example we will assume that the burden rate of highly skilled system administrators is higher than the average burden rate for the organization.  We will use $60,000 as the yearly burden rate for this group of employees ($30 per hour, $0.50 per minute)

Estimating Time

Now you have to find or estimate all of the time spent on various components of password management. There are some numbers you know and some you will have to make an educated guess or get help from others to estimate.  The estimates in the example below should not be considered especially accurate. They may or may not be reasonable for you or even within the context of this example!

Data You Already Know

Here are the numbers you know or can easily get from management or others along with the values to be used in our example in parenthesis:

  • Total number of employees. (example: 1000)
  • The average number of passwords each user must change. (example: 3)
    You will know or have a good idea of the average number of passwords your end users must change; i.e. the average number of systems and applications for which a user is given a userID that must be provided to access that system or application.
  • The number of mandatory password changes per year. (example: 4)
  • The number of employees working on the help desk. (example: 4)
    In our example, there are two people on first shift, one each on the other two shifts
  • The number of work days per year. (example: 250)
    We arrived at 250 by dividing 2000 hours per year per person divided 8 hours per day.
  • Percentage of time the help desk spends on password management tasks. (example: 40%)
    From industry studies we know that the average help desk spends somewhere between 30% and 60% of their time on password management related issues. We use 40% as a more conservative estimate.
  • Average burden rate for the entire organization. (example: $50,000 per year per person)
    Calculate yours according to the burden rate discussion above.
  • Average burden rate for system administrators and help desk personnel. (example: $60,000 per year)
    Calculate yours according to the burden rate discussion above.

End User Time

For end users, there are three different types of time expenditures for password management-related tasks. You will most likely have to ask for input from others or use your best guess to arrive at an estimate.

  1. Time required to change their passwords each time they are required to change them. (example: 10 minutes)
    I usually tell administrators to think about the amount time theyspend changing passwords. Use this as a lower bound for time spent by the average user.  I find that the value of this estimate is usually more than first thought. Test it out. The next time you need to change your password, track the time.This time will vary based on password complexity requirements, whether and when past passwords can be used again, how similar complexity rules are between each of the systems and the number of passwords to be changed. Your time will likely represent a lower bound for the time it takes the average person to successfully change their passwords.
    For our example we use 10 minutes as the time it takes to successfully change three passwords.
  2. Time spent remembering and typing in passwords each time they are prompted. (0 minutes)
    I usually assume this time is negligible and ignore it in my cost estimates.
  3. Time spent figuring out how to login when the userID and password they initially provide doesn’t work.  (20 minutes)
    This time includes the time spent by the end user on calls to the help desk.  The manager of the help desk may be able to tell you how long a password-related help desk call lasts. End users typically spend a few more minutes than this fumbling around trying to figure out what happened or what is the right userID and/or password.
  4. Average number of calls to help desk for password issues per year per person. (1)
    Some users will hardly ever have to call the help desk, and others will call more often than expected. You may be able to get an idea for this number from the folks that work on the help desk.

Help Desk Time Estimates

The help desk manager may be able to provide you estimates for the amount of time spent by the help desk on password-related issues in a year. If not, you can often provide a ballpark estimate based on the information you do know.  For example, you know or can easily find the number of people that work on the help desk team. You know they are assumed to work eight hours a day and that they take breaks and have a one-hour lunch. So they each spend roughly 6.5 hours a day answering phone calls.  From this data we can calculate an estimate of the amount of time the help desk spends per year on password management related tasks:

  • Time per day. (10.4 hours)
    6.5 hours per help desk team member X .40 on password management * 4 team members
  • Time spent per year. (2600 hours or 156,000 minutes)
    10.4 hours per day X 250 days per year

Now we have all of the information we need to generate an estimate of the cost to the organization for managing passwords.

Calculating End User Cost

You can calculate the end user cost for changing passwords as follows:

  • Minutes spent changing passwords = 1000 (total employees) X 10 minutes per change X 4 changes per year =
    1000  X  10  X  4 = 40,000 minutes
  • Cost to change passwords = 40,000  X  $0.42 = $16,800 per year

To this we add the end user cost of time to get help from the help desk when end users are unable to log in to a system or application:

  • 15 minutes (end user time with help desk) X 1000 users X 1 time per year =
    15  X  1000  X  1 = 15,000 minutes
  • Cost for end user help desk time = 15,000  X  $0.42  =  $6300 per year

The cost for end users to manage passwords, given our example and assumptions is:

$16,800  +  $6300  =  $23,100

Calculating Help Desk Cost

Using the help desk estimates from above we calculate the help desk costs as follows. Remember, this includes all help desk time spent on password management, not just on calls from users:

  • 2600 hours per year  X  $30 per hour = $78,000 per year

 

Calculating Total Cost of Password Management

At this point, calculating the total cost to the organization is a simple matter of adding end user costs to the help desk cost. In our example the total cost to the organization is:

$23,000  +  $78,000  =  $101,000

When I work through this exercise with customers, they are usually very surprised at much money it actually costs an organization just to manage access to computing resources!

 

Summary

We used password management costs for our example, but some of the data will be the same regardless of the type of security project you’re assessing. You will also use similar techniques to find or estimate data that isn’t readily available.

There is a fair amount of data to gather and to understand when estimating costs.  You have to determine which employees are affected, how much it costs to employ those affected, and how much time is spent by affected employees on the task or tasks in question.  And then you have to know how to use that data in your calculations.

If you want to estimate the cost of password management for your organization, you can use the Botz & Associates SSO ROI Calculator utility. It handles all the calculations for you, including translating time units, so you can run any number of “what if” scenarios in minutes. All you have to do is provide the estimates asked for in the utility.

The calculator is freely available at http://www.botzandassociates.com/download/sso-roi-calculator

You will probably be surprised by how you’re spending.

I will continue this series by covering how to calculate the cost of a solution for a security-related project as well as how to calculate the return on investment for a project in my next post.

Register for Botz Bytes and or the Botz & Associates blog to make sure you see the next post on calculating and comparing the cost of security projects.

 

 

facebooktwittergoogle_pluspinterestlinkedinmail
This entry was posted in Info Security Mgmt, Single Sign-On (SSO) and tagged , , , , . Bookmark the permalink.

2 Responses to Calculating the Real Cost of Security Projects – Part 1

  1. Pingback: How to Calculate ROI for a Single Sign-On Project | Botz Security Bytes

  2. Pingback: Calculating the Real Cost of Security Projects – Part 2 | Botz Security Bytes

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>