Here is a taste of what to expect from Rich Mabe’s Webinar slated for for September 30th, on the topic of Development of Cybersecurity Cost Estimating Factors for Business IT Systems – click here to register.
Analysts from Mitre and PRICE® evaluated budget expenditure data downloaded from the OMB IT Dashboard (www.itdashboard.gov/). The dashboard is an open source website that provides federal agencies and the public with the ability to view details of federal information technology (IT) investments online and to track their progress over time. Our intent was to see if we could isolate specific historical expenditures for cybersecurity activities across several IT programs that could be used to develop factors or methods to estimate future cybersecurity costs.
We started with historical data for 16,380 individual investment activities, drawn from 568 IT systems across 25 executive branch departments and agencies. The data included IT expenditures between FY2009 and FY2018. Using a structured keyword search, we further isolated just activities focused exclusively on cybersecurity efforts, which we then grouped into the standard cost categories shown below in Table 1. These categories use terms found in the activity descriptions and are common cost categories used in federal cost estimates.
Table 1. Cyber Cost Categories
After excluding activities with both cyber and non-cyber costs, we evaluated the remaining activities by category group. The final database supporting our analysis included 309 cyber only activities in 134 IT systems across 21 Executive Branch departments and agencies.
We used standard statistical methods employed in a PRICE analysis tool (TrueFindings®) to search for correlation in the dataset that might lead to cost estimating relationships. However, no correlation was found within or between the cost category groups, so we then chose to develop factors by cost category. The best fit for the data as a factor is shown here:
Cyber Category Cost$ = XX% of Total IT System Investment Cost$
Factors are specific to a cost category, and not to any individual IT system, federal agency or FY.
Table 2 summarizes our result by cost category. Two metrics were developed for each cost category: the Average cost and the Median Cost of all activities in each category as a percent of the Total Investment Cost for their host systems. For example: “Mange Cyber Programs” as a category was the primary effort for 69 of the 309 activities evaluated. On average, these 69 data points represented 2.19% of the Total Cost for their individual host IT systems. The Median value for the 69 data points was only 0.27%. Each category had one or two very large activities that skewed the results (as shown by the data point representing the highest percentage of total cost for each IT program), but there is still a fairly small range between the Average and the Median for each category.
Table 2. Cyber Cost Category Factors
The following results and conclusions were drawn from the analysis of these factors:
~Three cost categories, “Manage Cyber Programs”, “Authentication/Certification” and “SW App Releases” were the most prevalent cyber activities:
- They include 50% of all Cyber activities (152 of 309 Total)
- But only represent (on average) 6% of Total Investment Cost
- They are pervasive in many programs, but not cost drivers in any program
~Two additional categories, “Contractor Cyber Support” and “Cyber/Security Training” are cost drivers:
- They represent 17% of Total Investment Cost
- But only 7% of all cyber activities (19 of 309 Total)
- They are only drivers when they occur (less than once per program)
~The first five categories shown on table 2 above are included in most of the IT programs we evaluated.
- If all five are used as a matter of practice in an estimate, they would add (on average) about 8.22% to the cost of the system for recurring annual costs during the investment phase of an IT program
- Using the median values as a cost factor would add only 2.63%
~The remaining categories should be considered as optional costs, to be randomly included in one year of development as “spikes” in spending for cybersecurity, rather than spreading them as an annual cost in all years of development.
Register for the Cyber Security webinar and learn more about our research and findings.