9.4 ASSESSING COSTS

9.4.1 Personnel vs. Non-Personnel Costs

Costs are generally expressed in terms of personnel related vs. non-personnel related . The following list outlines what kinds of costs fall into these categories:

• Personnel

  • Salary

  • Benefits

  • Overtime

  • Contractors

  • Temporary Staff

• Non-Personnel

  • Asset costs

    • Hardware

    • Software

    • Equipment

    • Infrastructure

    • Tools

  • Overhead

    • Office supplies

    • Rent

    • Utilities

    • Services

  • Project specific

    • Travel Expenses

    • Meeting costs

    • Project specific supplies

      • Photocopying

      • Printing

The distinction between personnel vs. non-personnel related costs is often made because personnel costs are typically a very large portion of the overall costs. Note from the list above that personnel costs are usually calculated using the 'fully loaded' value of personnel expenses which includes benefits and overtime rather than just straight salary.

As for the non-personnel costs, the list above includes a sampling of items that represent costs to the organization. The list is not exhaustive and every organization will have different things to account for in their budget proposals.

9.4.2 Deriving Cost Figures

Obviously, the larger the organization and the scope of projects associated with HIPAA compliance planning, the greater the complexity of estimating cost figures for your budget. No one will really expect exact figures, but the figures you do come up with should be reasonable and represent a close approximation . Figures used in writing budgets are typically expressed in thousands.

Some figures may be especially difficult to estimate because of the number of variables that may have an effect on the cost. For example, the cost of supporting a new application may be subject to a variety of influences, such as how quickly training is provided and whether or not the application behaves as intended. In such cases it is reasonable to provide a cost range that you feel comfortable with. Of course, your level of comfort should be based on sound research and any empirical data you can gather to support your estimation. So, for example, you may not be able to say for certain that support costs will be $100K for the year, but you are quite comfortable that the cost will not fall outside of say a range of $90K-$110K. This is a concept known as the '90 percent confidence interval,' which simply means that you can say with at least 90 percent confidence the number will fall within this range. If you choose to express a figure in this manner, you may want to document your logic and the basis upon which this range is founded. For example, a variable that could affect your estimation could be that similar application roll-outs produced support figures that fall within this range, but the application you are budgeting for uses a web interface which may throw a degree of uncertainty into your estimation of the support figure.

Once again, a good relationship with your organization's business analysts may be of tremendous help here since discussions of confidence intervals get into areas of statistical mathematics beyond the scope of this discussion. Also, your organization may have standards for what confidence interval value they operate with. It could be that they would rather see a confidence interval of 95 percent which, of course, means that you may have more work to do to get to that level of comfort with the value range you are estimating.

However, there is some value in working with ranges of numbers especially if those ranges have their basis in good supporting information. Even if you do come up with a range that you are comfortable with, the figure likely to end up in your budget will be the mean or the average within that range. So, using the example above, we would still plug in the $100K figure. However, knowing that there is a range of figures, you can use the high and low boundaries to see what effect they have on the overall budget. Playing 'what-if' scenarios like this gives you a good idea of the possible outcomes and whether or not your budget can tolerate any movement especially if you have hard dollar constraints to contend with.

9.4.3 Total Cost of Ownership

In 1987, Bill Kerwin, vice president and research director of Gartner Group Inc. introduced a concept known as Total Cost of Ownership or TCO. The TCO model introduced a way to define the true costs of IT investments by factoring in costs associated with ownership including the cost of operating, maintaining, installing, training and supporting. TCO is often used by vendors to compare the costs of similar products. Those vendors that can prove their product provides a lower TCO have a more compelling sales argument for potential customers than their competitors . However, the TCO concept does underscore the reality that investments in IT or security infrastructure really go beyond the costs of purchase and support.

Some of the cost factors that contribute to TCO are as follows :

This list, of course, is not all inclusive. Every project or proposed acquisition has its unique set of costs which must be determined to properly assess the true costs associated with the investment.

TCO reduction is a goal any organization would be interested in achieving. So, this may be a key element of your cost justification model. The TCO model defines three primary factors that influence the cost of ownership. The list below outlines these factors and defines what is affected by each:

• People-Training end users and staff to make optimal use of cost-controlling processes and technologies

• Processes-Automating some tasks and streamlining others

• Technology-Deploying technologies that minimize or eliminate labor- intensive tasks

Using this model, there is certainly a lot of room for building good cost justification cases when it comes time to write the budget proposal.

9.4.4 Quantifying Benefits

Providing good cost justifications with numbers to support those justifications are an important part of getting projects approved. There are a variety of metrics approving managers look at to aid in deciding whether or not to sign off on your budget. The following is a listing of the key metrics typically used:

• Return on Investment (ROI) - ROI is a method for determining the financial benefit of an investment over a period of time. The benefit (or return) is derived from cost reductions realized as a result of productivity gains or process improvements as compared to the amount of the initial investment. In other words, if a technology investment costs a certain amount today, can we expect the cost benefits to exceed that amount over a reasonable period of time. In IT environments, that time is typically three years since technology changes so rapidly . The formula for calculating ROI is as follows:

  

• Where:

  • Benefit is the cost benefit over the period of time t which is typically a year

  • Initial investment is the amount initially paid for the investment

  • t is the period being used; in this case, years

  • Discount rate is a figure used to represent the rate of return if you were to invest it today

  • n is the number of years

• For example:

  If a software investment costs your organization $12,000, and it provides a yearly benefit in terms of productivity gains of $5,000 per year, with a discount rate of 10%, the ROI would work out as follows:

  

  In this example, the software investment would provide a 114% ROI over the course of 3 years. ROI shouldn't be the only factor considered in a procurement decision but, this would be viewed as a favorable investment based solely on ROI.

• Net Present Value - NPV is similar to ROI only it gives a dollar value of the investment rather than a percentage. NPV is useful in that it gives you an idea of the performance of the investment over a selected period of time at a given discount rate to reflect the value the benefit over that time. These two figures used in conjunction provide very useful information regarding the potential performance of a project from a financial perspective. The NPV formula is as follows:

  

• Where:

  • Benefit is the cost benefit over the period of time t which is typically a year

  • Initial investment is the amount initially paid for the investment

  • t is the period being used; in this case, years

  • Discount rate is a figure used to represent the rate of return if you were to invest it today

  • n is the number of years

• Using our previous example, the NPV figure would work out as follows:

  A positive result of this calculation means that this investment is a productive one over the 3 year period. A negative number means that the benefits are not covering the cost of the initial investment over the chosen period of time. This could be an unfavorable indication; however, in our example, the result is positive.

• Profitability Index (a.k.a. cost-benefit ratio) -This figure is similar to ROI only it is expressed as a ratio between the benefit over a selected period of time vs. the initial investment. The formula for this figure is as follows:

  

• Where:

  • Benefit is the cost benefit over the period of time t which is typically a year

  • Initial investment is the amount initially paid for the investment

  • t is the period being used; in this case, years

  • Discount rate is a figure used to represent the rate of return if you were to invest it today

  • n is the number of years

• Using the figures from the example we have been working with thus far, the calculation works out as follows:

  

  This result tells us that for every dollar spent on the initial investment, we gained $1.14 over a period of 3 years.

• Payback Period - The payback period is the amount of time it takes to recoup the costs of the investment. This is a simple figure to calculate that quickly tells you how long before the costs of the initial investment are actually recovered. The formula for this calculation is as follows:

  

  Using the previous example, the calculation would work out as follows:

  

  Payback, in this case occurs in 2.4 years. Note that this figure does not take into account a discount rate which, in this case would make the actual payback slightly more than 2 and a half years.

There are many other ways to represent financial information, but this set of formulas is a good starting point. The formulas themselves are fairly straight forward, but the real work lies in how you go about obtaining the figures. One of the most common errors made is to underestimate the cost or the benefit.

9.4.5 The Risk Management Approach to Quantifying Cost Benefits

The information presented above outlines some of the financially -oriented metrics that are typically used in evaluating cost benefits. However, your HIPAA compliance plans will likely propose security related investments. While the same approaches could apply, they might present more of a challenge because these solutions often cover broad areas of the organization whereas standard applications may be more localized. For example, an Intrusion Prevention System (IPS) can monitor and protect virtually any network segment depending upon how it is deployed, in contrast with a Resource Management System, for example, which would likely be localized to the human resources department.

Security solutions, in general, are designed to mitigate risk. So, looking at the cost benefit from a risk management perspective is an approach worth understanding. When you consider that risk is a product of exposure to threats in a given environment and the vulnerabilities present in your assets, you can create mathematical models to try to quantify the risk that exists and the extent to which risk may be mitigated by applying controls and safeguards. A few terms should be presented at this point to clarify the values we need to calculate. These are as follows:

• Single Loss Expectancy (SLE)-This value represents the dollar amount in terms of loss if an incident were to occur

• Exposure Factor (EF)-The degree to which an incident impacts an asset. For example, in response to an attack on your database server which has an assessed value of $200K (including the hardware and the value of the information in the database) it is determined that a significant amount of data was corrupted such that recovery would cost $160K. The EF in this case is 80% since that was the extent of the impact on that asset.

• Annual Loss Expectancy (ALE)-This is the dollar amount that a particular type of exposure costs over the period of a year.

• Annualized Rate of Occurrence (ARO)-An estimate of the frequency with which a particular type of exposure would occur over the course of a year.

Calculating these values presumes several things:

• Your have identified all the assets in your organization that you need to protect.

• You have a good idea of asset valuation in your organization.

• You have identified the possible risks and threats to your organization.

• You have identified resources for obtaining information on rates of occurrence for the threats that can affect your organization.

To see how this technique works, we can apply some sample data and work through the formulas that yield the results we need. To do this, we will create a fictitious department in an organization that processes orders valued at $400K a day. The threat for this example will be a computer virus. Based on the history of recent virus attacks, it has been determined that attacks of the magnitude of Sobig or Blaster can render enough of the systems in the department inoperable such that productivity is reduced by 35% for the day. This is the exposure factor or EF. Secondly, your research has determined that attacks of that magnitude happen approximately once every 6 months. Annualized, this yields an ARO of 2.

Based on this information, we can determine that the SLE for this particular threat is as follows:

On an annualized basis, the ALE would be as follows:

Now that we know what the exposure is if this threat is left unmitigated, we can see what the impact of implementing a control such as an anti-virus server might be. If the introduction of this control reduces the EF to 10% for example, we can easily compare the cost benefit. The new ALE works out as follows:

The benefit is the difference between the ALE before and the ALE after.

If the cost of the anti virus server is 20K we can apply the formulas from the previous section to see from a financial perspective what this means. If we base our calculations on a 1 year period at a discount rate of 10%, the results work out as follows:

Based on these numbers, this would appear to be a good investment. Of course, these figures are an example, but it does walk through how these formulas paint a picture of the financial viability of the proposed investment.

9.4.6 Obtaining Information

The main challenge in the budget preparation is not working through the calculations; as illustrated up to this point, the math is fairly straight forward. The real challenge lies in how you go about getting your figures. Earlier, in the discussion on costs, we looked at some of the things to factor into your cost figures. As for the information to support your risk models, the risk analysis should provide a great deal of supporting information. However, when it comes to determining things like the frequency of threats (ARO) and the degree to which assets are exposed (EF), you may have some research to do. The following is a listing of various sources that may yield some good information for making these determinations:

• FBI/CSI-These entities jointly issue annual reports on computer security trends, statistics and figures.

• NOAA-The National Oceanographic and Atmospheric Administration could be a good source of information on natural threats

• Local government may be able to provide information on demographics , crime rates for local areas and other information at the local geographic level

• Insurance companies are in the business of risk and may be able to provide assistance with your research efforts

• Census data may yield some good demographic information for your research