Follow us on LinkedIn and Twitter

Calculating the Real Cost of Security Projects – Part 2

Posted on 01/30/2015 by Patrick Botz

In a previous post on this topic, I discussed how to calculate the cost of a security-related project and how to compare different solutions for a given security-related project or issue.  I asserted that there are three different aspects that you need to calculate to accomplish this:

1. Current cost of performing or managing the security-related task or tasks being addressed by the project

2. Overall cost of the proposed solution or solutions

3. Return on investment (ROI) for each of the proposed solutions.

That first post covered the first item in this list.  This post covers the remaining two items.

Security Risk vs. Cost — Your Choice

Security is a function of risk and cost. In general there are two ways to deal with risk. You can accept it or you can spend precious resources to reduce it.

The amount of money your organization spends on all security-related tasks and products in a given year represents the amount of money your organization spends to achieve its current level of accepted information security risk.

A security-related task is any process or procedure that is executed by a person or product in order to address some aspect of security. A security project uses either human resources and/or automation to implement new or change existing security tasks to better address security.

Every security-related project is ultimately intended to reduce risk, to reduce the cost of achieving your current level of risk, or both.  Some projects will reduce risk, but increase the cost for the organization to achieve its desired level of risk. Some projects will not significantly change the current level of accepted risk, but will reduce the cost of achieving that level of risk compared to current costs.

“Homerun” security projects will both reduce the level of accepted risk and reduce the cost of achieving that new lower level of risk.

In order to make a rational business decision about any security project, you have to:

  • Identify the specific tasks addressed by the project
  • Estimate the current cost to perform those tasks
  • Identify the current level of accepted risk
  • Identify a solution or solutions that either reduce the risk addressed by those tasks and/or reduce the cost of performing those tasks
  • Estimate the overall cost to implement each solution
  • Estimate how a solution affects the cost of performing the new or changed tasks once the solution is implemented.
  • Estimate how a solution affects your current level of accepted risk.
  • Compare the current cost of managing the specific aspects of security (i.e. risk) addressed by the solution, with the overall cost of implementing.
  • Compare the relative value of two or more solutions for a given security tasks.

Note that accurately measuring risk is a fairly complicated task. Accurate estimates require a formal risk planning process.  As such, risk measurement is not included in this topic. Many security projects are based on the assumption that risk will not be appreciably affected or that the project is required to meet required industry standards or government regulations.

In many organizations, risk is never formally measured. The methodology I propose works within the parameters of that reality.

 

A Sample Solution

In the first post we used a sample project intended to reduce the cost of password management to illustrate how each step of the process works.  That post detailed how to calculate the current cost of password management.

Continuing on with that example, we’ll evaluate the Botz & Associates SSO stat! password elimination service as one way to lower the cost of managing passwords.

First a note about risk. While I personally believe that the password elimination approach to reducing password management costs also reduces risk, the cost of accurately measuring that reduction is significant. That said,  SSO stat! relies on the Kerberos authentication protocol, which is understood very well and considered by security experts to be much more secure than userID password authentication.  Given this, we can confidently assert that SSO stat! does not negatively impact an organization’s current level of risk. Thus we can analyze the business value of SSO stat! only on how much, if any, it reduces an organization’s cost to manage passwords.

The example project was based on several assumptions:

  • 1000 employees
  • An average of 3 userIDs and passwords per employee
  • Passwords must be changed four times a year
  • An average burden rate of $50,000 per year($0.42 per minute) per employee
  • A burden rate of $60,000 per year ($30 per hour) per system administrator and help desk employee
  • An average of 15 minutes per employee each time their passwords are changed
  • An average of 20 minutes per call to the help desk to address password related issues
  • An average of 1.5 calls per employee per year for password related calls to the help desk.

Using these assumptions we calculated the current organizational cost of managing passwords as $101,000 per year.

The next step is to measure how much it will cost the organization to implement SSO stat! and to manage it over time.

 

Calculating the cost of a solution

The cost of a solution includes the cost to:

  • Acquire the solution
    These are one-time costs required to procure a product license or the start-up costs charged by a vendor providing a service.  Licenses may be charged on system or processor basis or on the number of people using the product, or some other basis. Typically, a product includes an initial license plus some ongoing yearly maintenance fee.  Services often have a first year charge or startup fee, followed by an ongoing periodic fee to continue the service.
  • Implement the solution
    These are one-time costs associated with the initial implementation of a project. It includes the cost of the human resources required to plan for and execute the implementation of the project whether it be a product and/or a service.
  • Manage the solution over time
    These are ongoing costs associated with yearly maintenance or support agreements for products or the yearly cost of ongoing services, plus the human resources required to execute processes and procedures associated with the specific security tasks addressed by the solution.

 

Time and Cost Assumptions Associated with the SSO Stat! Service

The numbers used here purely are for the purposes of showing how to calculate the cost of a solution. They do not represent the actual cost based on these assumptions!

The cost of the SSO stat!  service includes a base price that covers all aspects of implementation, plus a charge for each user over the first 500.  It also includes a monthly support charge.

In our SSO stat! example we use the following numbers:

  • First year cost of service, based on 1000 users is $5000
  • The amount of “internal” time required to implement the service is estimated at approximately 8 hours of system administrator time.
  • The yearly cost of ongoing support is $3999, or $333 per month.
  • We estimate that your system administrators will spend about 15 hours per year dealing with processes associated with the single sign-on solution.

 

Calculating the Cost of the SSO Stat! Solution

We now have all of the information necessary to calculate the cost of this specific solution.

Understand that managing security is an ongoing process; password management, being one aspect of managing security, is an ongoing process.  Therefore the cost of a solution should be calculated over several years.  In addition, software products are often amortized by accounting over three or five years.  Therefore you should calculate the cost of any solution over at least three years.  Once you’ve calculated the cost for two years, calculating the cost over additional years is trivial.

Calculating the first year costs

The first year cost is the cost to acquire and implement the solution plus the cost to execute the resulting processes and procedures in the first year. In our example this is calculated as follows:

  • Cost to acquire = $5000
  • Cost to implement = 8 administrator hours X $30 per hour
    8  X  $30  =  $240
  • Cost to manage =  (15 administrator hours X $30 hour) + $3999 ongoing support
    ( 15  X $30 )  +  $3999  =  $4449

The total first year cost is calculated as:

$5000  +  $240  + $4449  =  $9689

Calculating Total Cost Over Time

This calculation is usually pretty easy.  First you calculate the cost of managing the solution for each year after the first. For relatively low-cost projects it typically is simply the same cost as the cost to manage for the first year. For larger projects or where higher learning curves are required, the cost to manage may be assumed to decline over time.

In any case, the work you do to determine the first year cost estimates will comprise much of the work required to estimate the costs in subsequent years.

In our example the costs to manage the solution in subsequent years is the same as the first year, $4449.

If you are doing an analysis for more than two years, then you multiply the subsequent year cost by (X number of years – 1).  In our example we will analyze the cost of the solution over 5 years. Therefore the entire cost of the solution over five years is the first year cost plus the cost of each subsequent year:

$9689  +  ( 4  X  $4449  )  =  $27,485

This is useful number in and of itself; especially if you compare it to the cost of alternate solutions. But it doesn’t tell you anything about how it will affect the overall cost of managing security.

 

Calculating the Effect of a Project on Security Costs

Estimating how a project will affect the cost of managing security for your organization requires knowing:

  • The current cost of the tasks associated with the specific project
  • The cost of project over time
  • The costs of the tasks associated with the specific project once the project has been implemented.

We have already calculated estimates the first two items.

Calculating the third can be a bit tricky because you can’t be certain until you actually implement the solution. You’ll have to rely on input from others, your own analysis and perhaps even your gut feel to generate an estimate for this value.  It’s difficult to describe how to generate this estimate because it is very dependent on the types of security tasks the project addresses.

For password elimination projects, I typically use the number of passwords eliminated as a way to arrive at the estimated new cost of managing passwords.  If you eliminate 3 of 4 passwords, then it is reasonable to assume that new cost of managing passwords will be about 75% of the current cost.

In general I estimate the new cost of any security process in terms of the percentage of the original cost.  It’s not perfect by any means, but it does provide a way to calculate the effect of a project on the total cost of managing security. Plus, it makes it easy to recalculate the cost savings based on different estimates.

In our example, we assume that the SSO stat! service eliminates 2 of the three passwords (or 66.7% of the passwords) that are currently being managed. One can argue that the cost of managing passwords grows exponentially rather than linearly as you add additional passwords to be managed. Or one can argue that certain specific passwords cost very little to manage.  That’s fine, just adjust the percentage of cost you believe will be eliminated.

Given our assumptions, the new cost of password management for the organization after implementing the SSO stat! service is simply the current cost to manage passwords (as calculated previously) times 33.3%. In other words we estimate that we are eliminating two-thirds of the current cost of managing passwords. Our estimate of the new cost to manage passwords is calculated as:

$101,000  X  33.3%  =  $33,633

The amount of money your organization saves with the implementation of this project in the first year is calculated by subtracting the expected yearly cost of performing the tasks from original yearly cost to perform the tasks:

$101,100  -  $33633  =  $67,467

Multiply this amount by the number of years over which you want to do your analysis:

5 years  *  $67467  =  $337,335

These are useful numbers, but you‘re not done until you subtract the cost of implementing and managing the solution from the savings over that period of time. This provides the net savings.

Since the first year cost is different than the subsequent year costs, this is a bit more complicated:

$67,467 (year 1 net savings)  -  $9689 (first year cost of solution)  =  $57,778

$67,467 (subsequent year net savings)  -  $4449  =  $63,018

Positive numbers indicate the project will end up saving money (in terms of opportunity cost, not necessarily in terms of real dollars that can be put in the bank).  Negative numbers mean that the project will cost more to implement and manage over time than the money it will save. Depending on the objectives and requirements of the project, negative numbers do not necessarily mean the project is not worthwhile.

Now multiply the subsequent year savings by the total number of years of analysis 1. This gives you the total net savings over the subsequent years. In our case we are using 5 years so that gives:

$63,018  X  ( 5  -  1 )  =  $252,072

Finally, add the net savings for the first and subsequent years to get the net savings over the time period:

$57,778 (first year net savings)  +  $252,072 (subsequent year net savings) =  $309,850

 

Calculating Return on Investment

Another very useful calculation is return on investment (ROI). For our purposes, this calculation compares savings with the amount of money you spend to achieve those savings.  A positive ROI greater than 1, indicates that the entire cost is returned plus additional savings.  Negative ROI means that the company will receive less in terms of the benefits than it will in terms of the cost to attain those benefits.

ROI is calculated by dividing the net savings by the cost of the project. It is often useful to calculate ROI in the first year and over the time period of analysis.  These calculations are:

1 year ROI  =  $  57,778  /  $9,689  =  5.96

5 year ROI  =  $309,850  /  $27,485 =  11.27

 

Using Cost, Savings and ROI Numbers

These numbers tell you a great deal about your project.

First, they help you prioritize projects. In our example, the company will save nearly six (6) times more in opportunity cost than it will spend to achieve those savings in the first year alone. It will save the company over 11 times as much as it costs to attain those savings over five years! If there aren’t other projects deemed higher priority for non-monetary reasons, or projects that will have even greater savings, then this one makes a ton of business sense to fund and implement.

ROI is also a good way to compare different solutions for the same problem. Different solutions are likely to have different cost and savings characteristics. One might cost more to implement and manage, but provide higher net savings or vice versa. Therefore, comparing solutions based only on cost or savings may not give you as accurate a picture.  ROI lets you truly compare apples to apples.

These numbers are also useful when you have a project near and dear to your heart.  Providing this data will likely help you sell your project; especially over a project which hasn’t bothered to provide the data required to make a rational business decision.

 

Summary

Knowing what it costs your organization to perform a security-related function like password management, for example, makes it much easier to determine if it makes sense to invest money to reduce that cost.  Taking the time to derive an estimate of how much it will cost to implement a proposed solution and to estimate the savings as a result of implementing that proposed solution will help you and your management team make a rational business decision for going forward — or not — with that solution.  This information is also very useful when you are considering more than one solution for a given security function.

If your project happens to be password management, Botz & Associates provides a free ROI Utility download that does all of the calculations for you!  All you have to do is fill in the estimates for your organization.  Once you provide your estimates you can easily tweak them and all the assumptions you made to see how they affect the bottom line. I often will increase or decrease various estimates to account for items that don’t have a specific line to include in the estimates. If you want to try out the calculator (whether or not you have a specific solution in mind) and you would like me to help you walk through it, give us a call, email, or send a “Contact Us” message. I’m happy to help!

 

facebooktwittergoogle_pluspinterestlinkedinmail
This entry was posted in IBM i Security, Info Security Mgmt, Information Security, Single Sign-On (SSO) and tagged , , , , , , , , , , , . Bookmark the permalink.

One Response to Calculating the Real Cost of Security Projects – Part 2

  1. Pingback: Calculating the Real Cost of Security Projects – Part 1 | Botz Security Bytes

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>