Economics Of Shift Left Security

Model 1 — MFA Implemented Across The Organization

  • SOC Personnel Costs = (Login Alerts Per User Per Day Related To 1FA Only) * (Organization Size) * (Average Annual SOC Analyst Cost) / (Alerts Triaged Per Analyst Per Day)
  • SOC Software Costs = (Login Alerts Per User Per Day Related To 1FA Only) * (Organization Size) * (Per Alert Software Cost To Aid In Investigation) * (365 Days)
  • Dollar Loss Of Productivity = (Average Number Of MFAs Per Day Per User) * (Organization Size) * (Time To MFA In Seconds) / (1 Minute / 60 Seconds) / (1 Hour / 60 Minutes) / (1 Day / 24 Hours) * (Average Annual Employee Cost)
  • Expected Value Of Breach Cost = (Average Cost Of Data Breach) * (Likelihood Of Data Breach)
  • Organization Size: 10000 Employees (Users)
  • Time To MFA (Google Auth Or Equivalent): 10 Seconds [1]
  • Average Number Of MFAs Per Day Per User: 1 [2]
  • Average Annual Employee Cost: $100,000
  • Login Alerts Per User Per Day Related To 1FA Only (Anomalous Access, Password Sharing, etc.): 0.01 [3]
  • Alerts Triaged Per Analyst Per Day: 100 [4]
  • Average Annual SOC Analyst Cost: $100,000
  • Per Alert Software Cost To Aid In Investigation: $0.10 [5]
  • Percent Of Data Breaches As A Result Of Stolen Or Compromised Credentials: 19% [6]
  • Average Cost Of Data Breach: $4.35M [7]
  • Base Likelihood Of Data Breach: 1.13% [8]
  • Likelihood Of Data Breach With MFA: 0.92% [9]

Model 2 — DevSecOps Properly Executed

  • Developer Costs = (Distinct Production Applications Developed By Organization) * (Average Number Of Vulnerabilities Per Production Application) * (Average Development Hours To Remediate Vulnerability In Hours) * (1 Year / 52 Weeks) * (1 Week / 40 Hours Worked) * (Average Annual Developer Cost)
  • Security Analyst Costs = (Distinct Production Applications Developed By Organization) * (Average Number Of Vulnerabilities Per Production Application) * (Average Security TeamHours To Remediate Vulnerability Found In Production In Hours) * (1 Year / 52 Weeks) * (1 Week / 40 Hours Worked) * (Average Annual Security Analyst Cost)
  • Expected Value Of Breach Cost = (Average Cost Of Data Breach) * (Likelihood Of Data Breach)
  • Distinct Production Applications Developed By Organization: 17 [10]
  • Average Number Of Vulnerabilities Per Production Application: 30.59 [11]
  • Average Development Hours To Remediate Each Vulnerability Found In Development: 3.61 Hours [12]
  • Average Development Hours To Remediate Each Vulnerability Found In Production: 10.71 Hours [13]
  • Average Annual Developer Cost: $150,000
  • Average Security Team Hours To Remediate Each Vulnerability Found In Production: 3.10 [14]
  • Average Annual Security Analyst Cost: $100,000
  • Average Mean Time To Remediate Vulnerabilities — Low Scan Frequency — 1–12 Scans Per Day (Shift Right Security): 217 Days [15]
  • Average Mean Time To Remediate Vulnerabilities — High Scan Frequency — 260+ Scans Per Day (Shift Left Security): 62 Days [15]
  • Assumed Reduction In Vulnerabilities By High Scan Frequency: 71% [16]
  • Percent Of Data Breaches As A Result Of Application Vulnerabilities: 43% [17]
  • Average Cost Of Data Breach: $4.35M [6]
  • Base Likelihood Of Data Breach: 1.13% [7]
  • Likelihood Of Data Breach With High Scan Frequency: 0.79% [18]

Model 3 — Robust Employee And Asset Onboarding And Offboarding

  • Employee Onboarding Tool Setup Time Costs = (Organization Size) * (Organization Turnover Rate) * (Time To Manually Onboard IT In Minutes) * (1 Hour / 60 Minutes) * (1 Week / 40 Work Hours) * (1 Year / 52 Weeks) * (Average Annual Employee Cost)
  • Billable SOC Costs = (Organization SOC Size) * (Average Annual SOC Analyst Cost) * (Applicable Efficiencies)
  • Expected Value Of Breach Cost = (Average Cost Of Data Breach) * (Likelihood Of Data Breach)
  • Organization Size (Constant For A Year): 10000 Employees (Users)
  • Annual Organization Turnover Rate: 47.2% [19]
  • Average Annual Employee Cost: $100,000
  • Time To Manually Install And Configure EPDR and VPN On New Laptops: 20 Minutes [20]
  • Organization SOC Size: 3 FTE
  • Average Annual SOC Analyst Cost: $100,000
  • SOC Efficiency Gains From Clean Mapping Of “Who Owns What”, As A Result Of Employee And Asset Onboarding: 10% [21]
  • Percentage Of Data Breaches As A Result Of Phishing: 16% [22]
  • Percentage Of Data Breaches As A Result Of Improper Employee Offboarding: 10% [23]
  • Average Cost Of Data Breach: $4.35M [6]
  • Base Likelihood Of Data Breach: 1.13% [7]
  • Likelihood Of Data Breach With Guaranteed Correct Controls On Every Employee Laptop, And Automated Offboarding: 0.85% [24]

Conclusions

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Stellar Cyber

Stellar Cyber

2 Followers

Stellar Cyber’s Open XDR platform delivers Everything Detection and Response by unifying all currently disjointed security tools and data sources.