Cost-Benefit Analysis for Anti-Malware Protection (AMP)

I recently wrote about key economic considerations for AMP. With those in mind, it is time to evaluate your existing anti-malware program and determine whether you should consider augmenting or otherwise addressing it.

The first stage of this process is to understand the costs and benefits of your existing program. This is a 4-step process:

  1. Determine the probability and (economic) impact of being compromised by malware. This is the overall risk an organization is trying to address with anti-malware solutions.
  2. Collect the total cost of ownership of *all* of your anti-malware solutions.
  3. Estimate the amount of risk reduced by the current anti-malware solutions in the IT environment.
  4. Compare the amount of risk reduced in step 3 to the total cost of ownership in step 2. A simple comparison should show higher benefits than costs (if not, you are doing it wrong). More advanced comparisons (division!) can provide your “risk reduced per unit cost” for your current anti-malware program.

These four steps are notionally simple but TechRisk professionals will recognize that any non-trivial environment will have challenges developing some of the estimates. It may be worth perusing my website or contacting me directly to discuss some useful ways to do this.

Once the assessment of the current situation is complete, it is time to review both the TCO information and the remaining (or “residual”) risk to determine if it is worthwhile to modify the program in any way. Given that there are existing costs to work with, a new solution may provide opportunities to reduce the existing TCO along with the ultimate objective to reduce the residual risk.
To evaluate the value of new solutions, it is beneficial to delve a little deeper into costs and the amount of risk reduced. This is especially true since many solutions shift costs from operating expenses to a capital investment.

Taking a page out of the “activity-based costing” book can help an organization evaluate its cost structure more effectively. To do this, an organization should allocate its costs to a set of identified anti-malware activities. A new solution may help lower these costs by, for example, reducing the number of infections that must be cleaned over time.

On the risk side, new solutions may reduce the likelihood of an infection or incident by identifying more malware prior to infection. They also may provide a means to reduce the impact of an infection by lowering the response and recovery costs or addressing some other aspect of loss.

Understanding risk and costs is a crucial aspect of managing a security program. In addition to recognizing the value provided by an existing anti-malware program, performing this analysis may highlight areas of inefficiency or weakness.

Pete Lindstrom is Principal and VP of Research for Spire Security, LLC, a research and advisory firm. Learn more about Advanced Malware Protection by “Drinking from the Firehose” in New York City on 9/17/13. Details at Complimentary access for those who qualify. Contact for details.