In the world of security, there is a constant struggle to justify spending, show business value and quantify positive impacts. But too often there is not enough funding, and security becomes important only after a crisis.
The value of the identity and access management (IAM) domains is different because it doesn’t just address risk — it can lead to operational and revenue gains. Web access enforcement value calculations are no different. They improve the user experience and operational efficiency, enforce security policies and act as an integral part of any portal experience.
Value as Part of a Business Case
If you’re considering or attempting to calculate the value of web access enforcement, we will assume you are building a business case to get funding. A well-built business case should include the fully loaded costs of software, process changes, organizational changes, hosting costs, change management costs and even cultural effects. The costs must be balanced against a full comprehension of value achieved.
My colleagues and I have collectively seen hundreds of fancy spreadsheets, databases, tables and documents for these purposes. If we’re all honest with ourselves as businesspeople and IT practitioners, we’ll admit we’re not always accurate with these calculations, but it’s our duty to try to be. Sometimes the value doesn’t exceed the costs. Other times, the value far exceeds the costs. In either situation, you will gain much greater acceptance if your stakeholders can see that every aspect of diligence was completed. Below are some important value drivers for web access enforcement.
What Is Web Access Enforcement?
Web access enforcement is one of the most recognizable IAM domains because every user experiences it. It identifies who the users are and ensures they only accesses what they are authorized to access. It includes authentication, authorization, multifactor authentication (MFA), federation and single sign-on (SSO). While this is similar to desktop SSO and privileged access enforcement, these are separate domains because they affect different platforms and users.
Value No. 1: Improving the User Experience
Web access enforcement is a thankless domain even though it is an integral part of every web-based portal experience. It often protects the most valuable and essential operational systems. When done poorly, web access enforcement is blamed for most user experience problems. When done perfectly, however, no one notices! For most organizations, web access enforcement is done just well enough to avoid problems. But those looking to differentiate themselves should build a seamless and robust SSO experience.
You can quantify this by placing value on acquiring, retaining and pleasing your end users. Let’s look at a hypothetical example.
A retail and distribution company determines its portal experience is a leading factor in customer exodus. The company estimates that it lost up to 8 percent of its shopping traffic due to login experience problems. The site processes approximately 2,200 orders per day at an average of $800 per order. The company further estimates that it lost 1,400 of its 40,000 customers, averaging 20 orders each per year, due to issues with the portal. The cost to acquire new customers is approximately $910 per customer.
Four potential value calculations are at play:
- Cost of current lost sales: This is the lost revenue from the 8 percent of abandoned shopping traffic. If this can be reduced to a 4 percent abandonment rate — in effect, adding 4 percent additional orders — the company could gain nearly $26 million in additional revenue per year.
- Cost of future lost sales: By losing 1,400 customers annually, the company loses the revenue that those customers would generate. If this can be reduced to 400 customers lost due to issues with the portal, the company could retain $16 million annually.
- Cost of customer replacement: There is an explicit cost to increase the company’s customer base — or, in this case, regain lost customers. If those costs are not needed because 1,000 customers choose to continue doing business with the customer, that saves the company $910,000, which can be spent on other initiatives to grow the business.
- Reputation cost: Depending on the customer market, especially with the rise of social media, users can have a significant effect on other potential users. One bad review could dissuade many other potential customers from purchasing. This is quantified within the $910 cost to acquire new customers. Undoubtedly, that cost will go up over time.
It’s important to note that these customer-facing examples can easily be applied to the employee user experience. In areas with high demand for talented employees, a positive user experience improves morale, motivates workers, improves retention and boosts employer desirability ratings.
Value No. 2: Operational Efficiency
The system interface affects user productivity. As an integral part of nearly every business system, web access enforcement either contributes to or detracts from productivity. On a micro scale, a few seconds of time is inconsequential. But when that time is scaled to thousands of users, those few seconds add up.
This is the age of operational efficiency measurements for the IT industry. With the prevalence and number of disparate systems, organizations can easily save thousands of hours of effort by improving their web access enforcement solutions.
Let’s suppose the retail and distribution company from the example above requires its 340 finance employees to use 16 different applications with eight different user ID/password combinations. In addition, 1,950 other employees and contractors interface with an average of four applications, requiring three user ID/password combinations each. The average login time is 9.5 seconds and users log in an average of 18 times per day. The company calculates a fully loaded hourly cost of $122. That means users spend more than 108 hours per day just logging in. That equates to more than 28,080 hours per year and $3,450,282 annually, as illustrated below:
- (340 + 1950) * 18 logins * 9.5 seconds = 391,590 seconds
- (391,590 seconds / 3,600 seconds per hour) * 260 work days = 28,281 hours per year
- 28,281 * $122 per hour = $3,450,282
Four potential value calculations are involved:
- Lost time for logins: If it’s possible to improve the time spent waiting for the login process to complete by reducing the number of logins by 50 percent and improving the login time to seven seconds, the company can save $2,179,164 annually, just for this small user population.
- Cross-application login time: Each time a user changes applications and must authenticate again, the number of logins increases. This is included in the 18 authentications per day, and it may be a measurable factor for other companies.
- Login confusion time: Users have to recall credentials that they may not have used recently every time they access an application. But they often forget their credentials or enter them incorrectly. Assuming this represents 2 percent of login transactions, averaging six minutes each, this confusion costs the company $2,613,728 annually. Even using these conservative numbers, reducing the number of logins by 50 percent could reduce the rate of login confusion to 1 percent, which could save $1,306,864 annually.
- Loss of attention: Due to the long login time, users are prone to multitask, change focus, get bored or otherwise stop paying attention to the application. If this occurs 15 percent of the time and costs the user five seconds of lost productivity as his or her attention wavers, this amounts to $272,304 in additional costs annually. If this can be eliminated or reduced by implementing a faster login cycle, the savings are significant.
Value No. 3: Consistent Technology and Policies
Because web access enforcement is so ubiquitous and included in nearly every system, tremendous economies of scale can be gained within the IT organization. While this could be lumped together with operational efficiency, it’s different because it’s not tied to business operations and it impacts the ability of the organization to pivot to new technologies. Generally, this value is gained by reducing the time to integrate applications, troubleshoot and adopt across the organization, creating the flexibility to embrace new ways of doing business.
Now let’s say our example retail company has approximately 200 applications, divided among four primary user communities: customers (10 applications), business partners (18 applications), employee shared systems (120 applications) and sales employees (52 applications). These constitute 33 application platforms and 18 user repositories. On average, 20 of these applications are significantly changed each year and 10 new applications are added. For each of these significant changes or additions, 440 hours are spent integrating and testing web access enforcement capabilities. This adds up to 13,200 hours per year. The internal security operations team employs seven full-time equivalents (FTEs) to operate these web access enforcement solutions and approximately four FTEs from different IT groups just to complete upgrades, patching and enhancements.
The company has a well-developed organizational change management capability. For each significant application change or addition, it requires approximately 240 hours of time to create and deliver communications and training materials. End users spend five to 20 minutes each receiving and adopting these changes, depending on the complexity of the changes. In total, each of the company’s 11,000 employees spend 1.5 hours receiving these change management materials. This adds up to 16,500 hours of end users’ time and 7,200 hours of the change management team’s time annually.
Below are three business value calculations to be aware of here:
- Implementation and integration consistency: Rather than requiring developers to learn 33 disparate web access enforcement mechanisms, this can be reduced to one solution with five integration patterns, which could reduce the integration and testing time to 200 hours per application. As a result, the company could save $878,400 annually.
- Operational consistency: By reducing the number of web access enforcement solutions and increasing their capabilities, the company can reduce the size of the operations and upgrade team to five FTEs. This savings of six FTEs represents $1,464,000 in cost savings.
- Simplified user adoption: The value of a consistent credential and web access enforcement interface lies in the simple fact that it’s easier to use. Once users adopt the solution, less time is needed for change management, communications and education. This can reduce the change management costs by 20 percent for each new application. This saves the company $578,280 annually.
Value No. 4: Risk Reduction
Evaluating risk is not a science since it requires some prediction of the future. It is fundamentally different from the examples we outlined above because the objective is avoidance, not quantifiable savings or gains. It is rare that a risk reduction value calculation results in a positive value return. Further, the effectiveness and quality of the web access enforcement system is just as important as the quantities of users, transactions and applications. In many situations, it’s possible to implement two solution options, each of which reduces the likelihood of a risk and the cost of the impact differently. A management decision is required to reflect the organization’s risk tolerance.
It is more difficult to measure the reduction in likelihood of any solution than to quantify operational changes. It is even harder to determine the cost of impact because it is not a singular value. Every aspect of the ever-changing threat vectors has different cost implications. The costs can also come in different forms, such as direct financial loss, indirect financial loss, legal fees, reputational impacts and many others.
Let’s assume our example company has 108,000 user credentials and a relatively weak password policy that requires a minimum of seven characters, biannual password rolling and no special characters. There is some SSO between systems, but no enforcement of segregation of duties or step-up authentication policies. It is estimated that 1,580 internal and 4,200 external user accounts are inactive, and the average user has 3.5 accounts. There is no system to link user activities to common behaviors or inappropriate access, but the company does have a security incident and event management (SIEM) system.
Below are just four of the dozens of risks that can be mitigated by web access enforcement. Each risk is dependent on many other factors, including the solution implemented.
- Multiple credentials: The more credentials, the higher the likelihood of malicious acts. In this example, if the company could reduce the number of credentials to two per user through improved SSO — a 42 percent improvement — and remove the unused accounts, the company could reduce the opportunity for inappropriate account usage by 47 percent.
- Weak credentials: By making the credentials more complex and forcing users to change their passwords more frequently, the company can reduce the likelihood of a brute-force or social engineering attack, as well as the window of exposure. As a conservative estimate, this could lead to a 20 percent reduction of the likelihood of a risk.
- Inconsistent enforcement: Some solutions allow users to transfer between systems and gain increased access. By implementing step-up authentication to enforce security policies for the most essential IT assets, the company can better secure its critical information. This could reduce the likelihood of inappropriate access by more than 50 percent, depending on the details of the enforcement policies and application interactions, and deflate the cost of an impact significantly.
- Failure to correlate: User behavior patterns and application usage can be powerful indicators of malicious behavior. By monitoring and acting on these activities, the company can continuously improve its web access enforcement efficacy through a feedback loop, reduce the duration of the behavior and, therefore, reduce the cost of an impact.
Realism and Revenue
The example used in this article probably requires some unrealistic assumptions, but it serves our purpose. Factors have been enhanced to exemplify certain calculations. Not all of these value calculations apply to all organizations, and some have other considerations that are not captured here.
For the factors that affect revenue, the company’s margin is an important scaling factor. Each company will value these differently, but in the simplest terms, the earnings before interest, tax, depreciation and amortization (EBITDA) margin can be multiplied by the revenue impact for a more effective value calculation. Similarly, the factors that affect cost can be scaled up to revenue if an organization chooses to measure value based on revenue impact. It is the responsibility of each organization to apply its own value calculations to evaluate a change.
Principal Security Architect for Delta Air Lines