Case Study:  Cost-Benefit Analysis


Situation

A large financial institution was interested in better understanding the relative contribution being made by each of its corporate security functions compared to their cost.  This knowledge would allow it to make better resource allocation decisions and address the upcoming budget process from an enterprise benefit point-of-view. Bellwether was invited to facilitate a process whereby the function heads could participate together, provide information and jointly determine the outcome.
 

Approach

Security incident and event information was analyzed to understand distribution frequency in terms of the extent of severity to the company. The incident data was aggregated into a manageable set of threat categories.  Incidents in each category were then sampled to ascertain their cost to the company and this used to estimate the benefit attributable to their mitigation.  From a departmental perspective, approximately 10 key security functions were selected and their annual costs ascertained with overhead and corporate burden included. Benefits were then allocated to each function by use of an exponentially driven threat-mitigation matrix and compared to cost. Each was them mapped graphically according to relative contribution.

Analysis & Results

Results indicated that the corporate security department overall was a significant contributor to the company’s profitability in relation to its expense.  However, its component functions displayed very different characteristics with respect to their ratios of attributed benefit to actual cost. Older, more traditional functions, such as access control, had much higher costs associated with them relative to their attributed benefit.  Whereas newer threats, typically of a digital nature had the propensity to do much more harm but had far fewer resources allocated for their mitigation. The analysis clearly made the case for additional investment and indicated areas of priority.

Benefits to Client

The company was better enabled to consider additional investment in threat mitigation programs and compare it to other alternative uses of funds within the enterprise. Equally importantly, it was clear what the resource allocation priorities were within the corporate security group.  Even if additional funding did not materialize, the reallocation of resources within the group would increase the aggregate benefit to the company.  This finding confirmed the importance of an existing initiative that improved capacity utilization across the group.  Several significant opportunities to improve enterprise benefit were uncovered as a result of this process and analytic methodology.


 c