Evaluating the Total Cost
of Ownership for Protecting
Web Applications
WhiteHat Security
Introduction
Over the past few years, both the sophistication of IT security threats and the number of breaches and thefts have escalated, and with more data, applications, IP, and other assets coming online every day, those risk exposures are only increasing. In virtually every industry, nearly every organization faces substantial risks involving lost trust of customers and investors resulting from security breaches. And, while the indirect costs are difficult to measure (though they are inarguably meaningful), the direct costs are painfully easy to see. Consider just two cases that resulted in sizeable monetary losses:
§ Idaho State University recently settled a suit with the U.S. Department of Health and Human Services for $400,000 after the personal information of 17,500 patients was breached.1
§ Schnuck Markets could face up to $80 million in losses due to a payment card breach.2
Unfortunately, these aren’t isolated examples—and the causes are many. According to DatalossDB.org, 37 percent of all data breaches arise from hacking, Web application exposure, or misconfiguration.3 Since many sites are
data-driven, this is an obvious entry point for attackers and an insufficiently covered area of corporate risk. “The Post Breach Boom” from the Ponemon Institute supports this: 42 percent of malicious incidents involved applications and 45 percent of losses due to malicious attacks ended up costing organizations an average of more than $500,000.4
Given the unprecedented exposures and potential for large monetary losses, organizations must quantify the financial impact of security risks, data breaches, and the protective measures associated with total cost of Web application security tools and services that can prevent and/or mitigate them.
This white paper breaks down the total cost of Web application security in specific risk categories associated with successful attacks. It will also discuss the costs to protect websites, resulting in a TCO model that can help to quantify the costs of Web application security compared to the costs of data breaches.
Understanding the sources of web application security costs
The cost of data breach prevention, and of Web application security overall, falls into three major categories. 1. Systems costs, which take two forms:
– Recurring annual subscriptions. The subscription cost for a Software-as-a-Service (SaaS) security offering can be a factor in some models if these services are in place and employed by the security team. This cost typically consists of yearly subscription expenses.
– On-premises systems. Depending on the types of Web application security controls and tools, your
organization can incur costs for hardware to run those tools and platforms, installed software, and many other associated costs, such as operating system licenses, network components, and more.
2. Services costs, which consist of the labor involved in deploying, learning, managing, and maintaining security tools and controls, as well as the labor required to respond to a security incident. This can include consultants, managed security services, or internal team members.
3. Breach impact, a line item that has traditionally been very difficult to measure. You can kick off the risk evaluation process by using statistics and data from industry reports and surveys to make a reasonably educated guess. In the beginning, this will, by necessity, rely on industry benchmarks and reports. Over time, that can be gradually complemented (and eventually replaced) by more accurate, experiential data if your organization encounters a
While the first cost category is essentially the cost of software (SaaS or on-premise), the second and third cost categories are strongly impacted by a Web application security solution’s ability to eliminate false positives and false negatives, respectively.
False positives happen when tools generate alerts that are not associated with true vulnerabilities. For instance, if the software creates an alert for an older Web server platform that has already been patched and is no longer vulnerable, that alert is not valuable. A large volume of false positives can significantly increase avoidable costs through
unnecessary scan reviews. Too often, these avoidable review costs are overlooked.
False negatives can be much more destructive and significantly more costly. In these instances, a legitimate vulnerability or deficiency is not detected by the assessment tool(s) and is not reported to analysts. False negatives increase the costs of breaches since important vulnerabilities are overlooked, leading to higher likelihood of a security compromise for a longer period of time.
In addition to eliminating false negatives with continuous assessments, scanning technology can also reduce expected breach costs by ensuring that any window of vulnerability is minimized by more frequent monitoring and earlier detection.
Calculating the cost of successful attacks
When estimating the costs associated with a successful attack, consider the frequency of attacks and the likelihood of penetration (which will vary for every organization). Data from secure-hosting provider Firehost suggests that any given website could experience between 15,000 to 100,000 or more Web application attacks per year.5 According to
Verizon Data Breach Investigation Reports (DBIR) from 2009-2012, the average company experiences between five to six breaches annually.6 To break down the cost of a successful attack, consider these specific items:
Revenue loss. Certain types of data breaches may result in direct monetary losses, such as exposing credit card numbers or having banking accounts directly manipulated. Another source of revenue loss may be a drop in ecommerce revenue due to declining customer confidence in the affected organization.
Number of impacted records. The number of impacted records may affect the total breach cost, just starting with the time required to conduct an internal investigation and communicate with affected parties. Certain thresholds can also lead to different legal and regulatory penalties.
Cost per data record. Some types of sensitive data may carry a specific cost to recover or replace, such as credit card replacement costs and credit monitoring services for affected consumers.
Legal costs and fines. Certain breaches incur specific regulatory and industry compliance fines and charges, ranging from one-time penalties to additional costs for standard business processing. For instance, you might see additional “per-transaction” costs for handling payment card data after a breach. You may incur other fines and penalties may occur as a result of lawsuits or other legal actions.
Brand damage. While the costs associated with damage to the brand are difficult to calculate, they certainly exist, especially in industries that rely heavily on ongoing consumer trust in the safeguarding of sensitive data.
In addition, even failed attacks incur costs, primarily related to investigation and the controls that prevent the attacks from succeeding.
The four categories for calculating the cost of protection
In addition to the cost of attacks, controls and tools for assessment, prevention, and response carry their own costs as well.
1. Protective tools and services costs 2. Operating costs
3. Direct services costs 4. Internal labor costs
1. Protective tools and services
Hardware . . . .Servers and dedicated platforms / appliances running security products Software . . . .The cost of security software
Services . . . .Can include both consulting services and the professional services associated with implementing a specific control or product
Administrative overhead . . . .Includes the time required to implement a product or service internally, as well as the daily time involved in managing and administering products
2. Longer-term operating costs
Hardware and software maintenance. . . . .Include annual maintenance contract as part of total cost breakdown Hosting services . . . .Depending on the security solution, hosting costs may need to be
factored in if the organization hosts assets in a colocation center or cloud provider. The addition of security platforms and software creates higher hosting charges.
3. Direct services costs
Consultants . . . .Consulting services for vulnerability assessments and penetration tests can factor into the overall yearly cost for application protection
Managed services . . . .Managed-services providers charge an annual fee for application protection. Some vendors offer application scanning as both in-house hardware and software, and managed services for appliances Dynamic Application . . . .Commonly implemented as Software as a Service (SaaS), DAST tools Security Testing (DAST) scan applications and assess them for flaws and even integrate with
code-scanning tools
4. Internal labor costs
Vulnerability assessment . . . .This is usually the information security team, with some involvement from the development team
Developing a TCO model
The following worksheet shows how to calculate TCO across a number of different scenarios.
Calculate direct breach costs
First, calculate the direct breach costs based on the number of annual attacks, the number of annual breaches, the number of records per breach, and the average cost per record. As noted earlier, these estimates are based on industry statistics and available figures:
Vulnerability
Assumptions
Baseline Cloud-DAST No protection
In-House scanning Commer
cial
Scanning Managed services Consultants DAST Web application attacks (annual) 25,000 25,000 25,000 25,000 25,000 25,000 25,000 25,000 Expected breaches (annual) - calculated 1 10 7 9 5 8 7 Percent of penetration 0.004% 0.040% 0.028% 0.036% 0.020% 0.032% 0.028% Average number of customer records
impacted per breach 5,000 5,000 5,000 5,000 5,000 5,000 5,000 5,000
Average cost
per record $25 $25 $25 $25 $25 $25 $25 $25
Direct cost
of breach
$125,000 $1,250,000 $875,000 $1,125,000 $625,000 $1,000,000 $875,000Determine loss of revenue
Next, determine the total revenue loss from a breach based on the overall impact to the business (calculated or estimated). In this case, we’ve estimated a weekly loss of $100,000 for two weeks, for a total of $200,000 per breach. Estimate indirect breach costs
Finally, we’ve estimated the variety of indirect costs associated with a breach:
§ Security consultants: 20 hours per assessment at $250/hour
§ Managed services: 15 hours per assessment at $350/hour
§ Cost of false positives: 25 hours each at $100/hour
§ Legal costs: 80 hours at $250/hour
§ Public relations to handle breach scenario: 65 hours at $85/hour
§ Approximately $300,000 in legal and compliance fines per breach
§ 10 applications assessed six annually
In total, the indirect costs came to $325,525 per breach.
Tally the full cost of breaches
With the direct costs estimated in Table 1, a per-breach revenue loss of $200,000, and indirect costs of $325,325 per breach, the total losses come to the following:
ROI Factors Cloud-DAST protectionNo
Scanners Managed
services Consultants DAST
In-house Commercial Indirect breach costs $325,525 $3,255,250 $2,278,675 $2,929,725 $1,627,625 $2,604,200 $2,278,675 Revenue loss $200,000 $2,000,000 $1,400,000 $1,800,000 $1,000,000 $1,600,000 $1,400,000 Direct breach cost (see Table 1) $125,000 $1,250,000 $875,000 $1,125,000 $625,000 $1,000,000 $875,000 Total annual losses $650,525 $6,505,250 $4,553,675 $5,854,725 $3,252,625 $5,204,200 $4,553,675
Factor the cost of protection
We must finally factor in the cost of protection. In Table 3 the various models are broken down by costs that will be incurred, ranging from hardware and software in some models to internal labor costs for performing scans and remediation. The final results of this are shown in the next table:
ROI Factors Cloud-DAST protectionNo
Scanners Managed
services Consultants DAST
In-house Commercial
Direct acquisition costs
Hardware $20,000 $20,000 $20,000 $20,000
Software $20,000 $27,448 $169,330 $20,000 $932,000
Implementation services Admin. overhead
Direct operating costs
Hardware maint. $4,000 $4,000 $4,000
Software maintenance/
support $30,000 $4,000 $5,490 $33,866 $69,067
Hosting services
Direct services costs
Service expense $300,000 Managed services $315,000 DAST assessment subscription $200,000 $110,000
Internal labor costs
Vulnerability assessments/ review $150,000 $150,000 Vulnerability repair $2,500 $17,500 $22,500 $12,500 $20,000 $17,500 Annual system cost $30,000 $0 $48,000 $56,937 $227,196 $40,000 $1,001,067 Annual services cost $2,500 $0 $167,500 $172,500 $327,500 $320,000 $17,500 Subscription cost $200,000 $0 $0 $0 $0 $0 $110,000 Total annual cost $232,500 $0 $188,833 $197,805 $428,476 $333,333 $507,233
WhiteHat Security is the leading provider of application risk assessment and management services that enable customers to protect critical data, ensure compliance, and narrow windows of risk. By providing accurate, complete, and cost-effective application vulnerability assessments as a software-as-a-service, we deliver the visibility, flexibility, and guidance that organizations need to prevent web attacks.
Deloitte, SC Magazine, the San Jose/Silicon Valley Business Journal, Gartner and the American Business Awards have all recognized WhiteHat Security for our remarkable innovations, executive leadership and our ability to execute in the application security market.
Figure 1. TCO broken into individual cost components
Conclusion
While many organizations struggle to calculate the TCO of Web application security, you can accurately determine the financial impact. The model presented here illustrates some advantages to selecting solutions that work in a SaaS model, alleviating the costs of hardware and software acquisition, maintenance, and much of the labor cost.
While the estimated breach numbers will vary—the numbers used in this white paper are estimates, to be sure— you can determine the total losses and costs within a reasonable margin. As you consider the likelihood of future breach scenarios, calculate your own total cost of Web application security using a TCO framework such as the one presented here.
1 http://www.scmagazine.com//idaho-state-university-to-pay-hhs-400k-after-investigation-reveals-shoddy-security/article/294679/# 2 http://thesouthern.com/news/hack-on-schnucks-could-cost-chain-m-in-illinois/article_073d9b3c-c364-11e2-8f22-001a4bcf887a.html 3 http://datalossdb.org/statistics
4 http://www.ponemon.org/blog/the-post-breach-boom
5 Source: “Dangerous Cross-Site Request Forgery Attacks Up 132 Percent Since Q1 2012”, Firehost, April 23, 2013 6 http://www.verizonenterprise.com/DBIR/2013/ (and data from years 2009-2012)