A cost-benefit analysis (CBA) helps determine whether a countermeasure should be used. If the benefits of a countermeasure are more than the costs, the countermeasure provides benefits, whereas, if the benefits of the countermeasure are less than the cost of the countermeasure, the countermeasure does not provide benefits.
If two possible countermeasures that will mitigate the same risk are available, two CBAs can be completed to determine which one provides the better benefits. That countermeasure can then be implemented.
If the turnaround between approval of the risk assessment and the start of the mitigation plan is quick, this step is less important. The risk assessment would have identified the risk elements and recommended steps to mitigate them. Management then approves these steps.
When performing a CBA, the starting point is to identify the losses that are expected without the countermeasure in place and the losses that are expected after the countermeasure has been implemented. This calculation determines the projected benefits. The formula is:
Loss before countermeasure − Loss after countermeasure = Projected benefits
Next, the cost of the countermeasure is identified. The formula is:
Projected benefits − Cost of countermeasure = Countermeasure value
One way to prevent SQL injection attacks is to use stored procedures to validate input. A stored procedure is a type of script or mini program used within a database application. Instead of using data entered by users directly, data is passed to a stored procedure. The stored procedure validates the data before using it. The stored procedure rejects invalid data commonly used in an SQL injection attack.
If the result is a positive value, the countermeasure provides cost benefits, whereas, if the cost of the countermeasure is more than the benefits, the countermeasure doesn’t provide cost benefits. If the values are close to each other, the return on investment (ROI) can be calculated. An ROI calculates the countermeasure’s value over its lifetime.
The most important part of this process is identifying the costs and benefits. The goal is to identify both tangible and intangible values. If the costs and benefits are not accurately identified, the CBA loses its value and may need to be redone.
A significant amount of time might be needed to complete an accurate CBA. Because of this time requirement, a CBA would not be performed on every possible recommended countermeasure. For example, if a skilled administrator can write a script to mitigate a risk, the countermeasure has almost zero cost. Therefore, performing a CBA wouldn’t be necessary. On the other hand, a failover cluster can be very expensive because servers must be added, which can require added facility costs to accommodate them.
CBA reports can be presented in any number of formats. However, creating the CBAs consistently, especially within the same project, is valuable. For example, two CBAs may need to be created for two countermeasures that will mitigate the same risk. The managers don’t want to purchase both countermeasures, so they determine which countermeasure will provide the greater benefit. If both CBAs are completed using the same methods and format, comparing the two and choosing the more valuable control is easier.
The following elements are commonly included in any CBA report for a countermeasure:
A quantitative risk assessment includes an estimate of the annual loss expectancy (ALE) due to a risk. The ALE can be used as the “loss before countermeasure.”