Page047
Total Cost of Ownership
The Total Cost of Ownership (TCO) is the total cost of a mitigating safeguard. TCO combines upfront costs (often a one-time capital expense) plus annual cost of maintenance, including staff hours, vendor maintenance fees, software subscriptions, etc. These ongoing costs are usually considered operational expenses.
Using our laptop encryption example, the upfront cost of laptop encryption software is $100/laptop, or $100,000 for 1000 laptops. The vendor charges a 10% annual support fee, or $10,000/year. You estimate that it will take 4 staff hours per laptop to install the software, or 4000 staff hours. The staff that will perform this work makes $50/hour plus benefits. Including benefits, the staff cost per hour is $70, times 4000 hours, that is $280,000.
Your company uses a 3-year technology refresh cycle, so you calculate the Total Cost of Ownership over 3 years:
- Software cost: $100,000
- Three year’s vendor support: $10,000 × 3 = $30,000
- Hourly staff cost: $280,000
- Total Cost of Ownership over 3 years: $410,000
- Total Cost of Ownership per year: $410,000/3 = $136,667/year
Your Annual Total Cost of Ownership for the laptop encryption project is $136,667 per year.
Return on Investment
The Return on Investment (ROI) is the amount of money saved by implementing a safeguard. If your annual Total Cost of Ownership (TCO) is less than your Annualized Loss Expectancy (ALE), you have a positive ROI (and have made a good choice). If your annual TCO is higher than your ALE, you have made a poor choice.
The annual TCO of laptop encryption is $136,667; the Annualized Loss Expectancy for lost or stolen unencrypted laptops is $275,000. The math is summarized in Table 2.6.
Table 2.6 Annualized Loss Expectancy of Unencrypted Laptops.
| Formula | Value | |
|---|---|---|
| Asset value (AV) | $25,000 | |
| Exposure factor (EF) | EF | 100% |
| Single loss expectancy (SLE) | AV × EF | $25,000 |
| Annual rate of occurrence (ARO) | ARO | 11 |
| Annualized loss expectancy (ALE) | SLE × ARO | $275,000 |
Implementing laptop encryption will change the Exposure Factor. The laptop hardware is worth $2500, and the exposed PII costs an additional $22,500, for $25,000 Asset Value. If an unencrypted laptop is lost or stolen, the exposure factor is 100% (the hardware and all data is exposed). Laptop encryption mitigates the PII exposure risk, lowering the exposure factor from 100% (the laptop and all data) to 10% (just the laptop hardware).
The lower Exposure Factor lowers the Annualized Loss Expectancy from $275,000 to $27,500, as shown in Table 2.7.
Table 2.7 Annualized Loss Expectancy of Encrypted Laptops.
| Formula | Value | |
|---|---|---|
| Asset value (AV) | AV | $25,000 |
| Exposure factor (EF) | EF | 10% |
| Single loss expectancy (SLE) | AV × EF | $2500 |
| Annual rate of occurrence (ARO) | ARO | 11 |
| Annualized loss expectancy (ALE) | SLE × ARO | $27,500 |
You will save $247,500/year (the old ALE, $275,000, minus the new ALE, $27,500) by making an investment of $136,667. Your ROI is $110,833 per year ($247,500 minus $136,667). The laptop encryption project has a positive ROI, and is a wise investment.