Network management Toolkit

How to calculate the cost of a new security control

Tags:
Security,
Control,
Cost

Mike Mullins Tech Republic

Published: 17 Jul 2006 16:20 BST

When it comes to identifying, assessing and managing security risks to networks and infrastructures, most organisations have adopted a risk-management approach. The steps of this method are fairly straightforward and generally lead to either acceptance of the risk or implementation of a new security control.

Of course, when the solution is a new security control, there's almost always a cost involved. However, the level of detail necessary to estimate costs for each identified security control can be confusing to someone who does not have an accountant.

Let's take the mystery out of this phase of risk management. We'll detail the areas you should consider for a new security control and look at how to aggregate that into a solution cost that the financial stakeholders of your enterprise can understand.

Acquisition
This involves the cost of the hardware, software, and/or services necessary to implement the new security control. Some controls may involve turning on a feature you already own; others may require purchasing new equipment and software — or even hiring an outside organisation to perform the function for your company.

Implementation
This is the cost of your staff's time or the cost of hiring a consultant who will install and configure the new security control. When estimating this cost, don't overlook the design, testing and deployment of the new control.

Daily
This involves estimating the ongoing cost of management, monitoring and maintenance of the security control. If a control is going to need staff to continuously monitor its performance, this is where you need to specify the additional human resources. In addition, this is where you should include annual licensing fees if applicable.

Publication
If implementation of the new control will result in a change of procedures or policy, you need to calculate the cost of distributing that change to the workforce. This can range from printed banners and leaflets (which require designing, printing, and mailing) to a simple, no-cost email about a policy change.

Training
This entails the cost associated with training current staff and users. For example, if you're implementing a VPN gateway for remote users, you'll need to train staff on the operation, monitoring and management of this gateway. In addition, you'll need to train users on how to create and use a connection when they're in a remote location.

Productivity
Almost all security controls will affect either users' or administrators' productivity in some way or another. Extra — or fewer — steps involved in completing a daily task will affect productivity, and you need to document that from the beginning.

Verification
You should never install a security control and then forget it. If you've ever run a penetration test, you've verified and audited a security control. Estimate the cost of annual or quarterly audit activities to measure the effectiveness of the control.

Final thoughts
During the cost-to-benefit portion of your risk analysis, make sure to measure the values and costs of the new security control in each of these areas. By accurately capturing the cost of a control, you can give management the information it needs to make financial decisions when it comes to the security of your network.

Mike Mullins has served as an assistant network administrator and a network security administrator for the US Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.