estimating the cost of cybersecurity - price systems · gao cost estimating guide the 12 steps 17...

© 1975-2018 PRICE Systems, LLC All Rights Reserved

Estimating the Cost of Cybersecurity

29 November 2018

Anthony A DeMarco, President

Richard D Mabe, Senior Solutions Architect

PRICE Systems, L.L.C.

www.pricesystems.com

Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved

Life cycle cybersecurity protection of IT systems is a critical issue Internet of Things (IOT)Aggressive nature of Cyber attacks

Need to evaluate approaches for cybersecurity protection with system

total ownership cost (TOC) to determine affordable approaches Life cycle systems managementCloudUser owned data center

This briefing presents approaches to model and estimate cybersecurity

costs in an IT system. Contributors: Anthony A DeMarco; Presiden; PRICE Systems LLCZachary Jasnoff; VP Professional Services; PRICE Systems LLCDavis Cass; VP Cloud Global Security Services; IBMRichard Mabe; Solutions Consultant; PRICE Systems LLC

Foreword

2


Scope and Definition of IT

Scope and Definition of Cybersecurity

Impact of Transitioning System Functions to the Cloud

Cost Estimating Strategy and Approaches

Overview

3


Scope and Definition of IT

4

Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved 5

Internet of Things (IOT) Platform IT Systems

Building Blocks (Devices, Services) Integrated into Functional Systems

Co

mm

un

ica

tio

ns

Da

ta M

an

ag

emen

tInfo

rma

tio

n M

gm

t

Inte

llig

ence

Co

ntr

ol/

Mo

nit

or

Ra

da

r N

avi

ga

tio

n

Information Systems (Data Centers; Enclaves)

Information Technology (IT) is:


Where and how is the system hostedOperating Platforms (Airplanes, Ships, Environmental Systems, Vehicles)

Private Data Centers

Commercial Cloud

Configuration and Complexity of System Components

Level of Security and Vulnerability

Life Cycle Management RequirementsModifications

Enhancements

Upgrades

Recurring Operations

Cost Considerations

© 1975-2018 PRICE Systems, LLC All Rights Reserved 7

Scope and Definition of Cybersecurity


Measures taken to protect digital devices, processors and systems against unauthorized access or attack

Protect against information being lost, stolen or compromised

Includes HW and SW strategies/technologies

Protect confidentiality, integrity and accessibility of data and systems

Definition


Includes Cybersecurity functions and management within an IT System

Hardware, Software, and Services

Life cycle engineering management

Also includes IT systems with a primary Cybersecurity function (Cybersecurity as an IT System)

Defensive

Offensive

Hunter/surveillance

Vulnerability testing

Application


Impact of Transitioning to Cloud Operations


Applications with Sensitive Data

Applications with complex processes & transactions Regulation

IntensiveApplications

Not yet virtualized applications

Highly customized applications

Big Data & Analytics

Collaboration

Development & Test Workloads

Front Office / Desktop

ComputeWorkloads

Business Processes (e.g. Expense Reporting)

Web Applications

InformationIntensive

Applications

Isolated workloads(Classified)

Mature workloads

Batch processing

Disaster Recovery

High PerformanceComputing

Social Business

Mobile

Archive

Database Workloads

e-Commerce

DevOps

Risk & Compliance

Customer Service

ERP / CRM

3rd Party Applications

StorageWorkloads

Moved to Cloud

May be ready for

Cloud Cloud

Not Ready for Cloud

HR / Workforce

Optimal Hosting of Info Systems/Data Centers is driven by Workload

11


Management’s Cybersecurity Concerns with Cloud Ops:

12

Are we protected?

Can we hire the right skills?

Can we adapt?

Have we protectedour most crucial data?

Are we maximizing the value of our security investments?

Are we communicating risk to our customers?

12


Cloud Service Delivery Models

13

Networking Networking Networking Networking

Storage Storage Storage Storage

Servers Servers Servers Servers

Virtualization Virtualization Virtualization Virtualization

O/S O/S O/S O/S

Middleware Middleware Middleware Middleware

Runtime Runtime Runtime Runtime

Data Data Data Data

Applications Applications Applications Applications

Traditional IT

on premises

Infrastructure

as a Service

Platform

as a Service

Software

as a Service

Clien

t M

an

ag

ed

Ve

nd

or M

an

ag

ed

in C

lou

d

Ve

nd

or M

an

ag

es

in C

lou

d

Ve

nd

or M

an

ag

es

in C

lou

d

Clie

nt

Ma

na

ge

s

Clie

nt

Ma

na

ge

s

Additional Service Management Needed Provided by Cloud Provider

Integration of Roles, Processes, Information, and Technology requires additional cloud service management

13


The Solution: A Well Planned Transition

14

As Is System

(User Data Cntr)

- Operate- Sustain

Transition:

- Software- Data- Interfaces

To Be System

(Cloud Host)

- IaaS- PaaS- SaaS

Plan for Transition:- Business Case- Change Mgmt- Svc Level

Agreement

Execute Plan:- SW Porting- Data Migration- User Training

• What• When• Where To• Security• Access

Recurring Costs:• Labor• Materials• Overhead• ODCs• Facilities• PM/SE

Non-Recurring Costs:• Modify/Refactor SW apps• Prep data for migration• Develop new middleware

Interfaces• Adapt to Cloud OS and

Middleware Services• PM/SE

• Migrate• Instantiate• Test/Verify• Parallel Ops• Changeover• Go Live

Recurring Costs:• Fees• Licenses• SubscriptionsFor:• Infrastructure• Run Time Env• SW Services• Access• Cybersecurity• PM/SE


Cost Estimating Strategy/Approach


US Government Accountability Office (GAO) Cost Estimating Guide

16


GAO Cost Estimating GuideThe 12 Steps

17

1. Define the estimate’s purpose2. Develop the estimating plan3. Define the program4. Determine the estimating structure5. Identify ground rules and assumptions6. Obtain the data7. Develop the point estimate [Compare to bids]8. Conduct sensitivity analysis9. Conduct a risk and uncertainty analysis10.Document the estimate11.Present estimate [and comparisons] to management12.Update the estimate to reflect actual costs/changes


Source Selection: Determine the 80% confidence most probable life cycle cost (MPLCC) of the project to evaluate potential supplier bids and award a contract

Define the estimate’s purpose

18

1


90

85

80

75

70

65

60

55

50

45

40

IT Pros Cyber Cops Counter IT SecurIT

Confidence Level

Bidder


Measures all costs over the system’s life cycle

TCO = Capital Expenses + Operational Expenses + IT Governance/Sys Mgmt(Direct) (Direct + Indirect) (Overhead/Admin)

(Infrastructure) (Services) (PM, FM, SE, Cyber Mgmt)

Total Ownership Costs for MPLCC


• Use the GAO Cost Guide

• Assign two cost estimators for three weeks

• Use PRICE TruePlanning and IT models• Proven models in a robust user interface

• Provides a resource loaded activity structure

• Determines cost drivers and structure, cost driver benchmarks

• Identify subject matter experts to be interviewed

Develop the estimating plan

21

2


Estimating is all we do

22

DataIdentification, Collection,

Categorization, Normalization

Analytics and ModelingDistributions, Regression,Non-Parametric Methods

EstimatingBudgetary ROMs, IGCEs, MPLCCs,

Concept Studies, AOAs, MBSE Affordability Analyses, Supplier Assessments, Price-to-Win, Etc.

Training and MentoringHow to collect and use dataHow to be better estimators

How to create credible estimates24/7 Toll Free Hotline

Estimating Software Development

Ease-of-Use, Speed, Credibility


TruePlanning® and the PRICE Models

Data visualization, statistical analyses, and proven predictive models in an easy-to-useintegrated environment. Responsive reports and graphics to give you the answers you need


Program summary statement of work (SOW): Protect military base network operations center from cyber attacks

Define the program

24

3


Determine the Estimating Structure

25

4

MIL-STD-881D APPENDIX J TruePlanning WBS by Phse


MIL-STD-881D APPENDIX J

26


IT System WBS for Cost Estimating

27

Establish the system and IT capability- Integrate COTS tools and services- Develop custom tools as needed- Connect to enterprise IT- Includes Risk Mgmt* as part of Governance

Life cycle operations and maintenance- Custom SW modifications- COTS Licenses/Fees/Replacement- Help Desk and engineering support- Recurring compliance and Risk Mgmt* part

of Governance

Overall System PBS informed by Mil-Std-881D: Development + Sustainment

*Separate Sys Eng, Test, PM and Integration objects are beingtested now as new adds to the library


WBS for Cybersecurity In a System

Indenture Cybersecurity HW, SW and Services within the IT System architecture


WBS for Cybersecurity As a System

29

The entire IT System Architecture is designed to provide Cybersecurity Services to a larger Network of Integrated Systems


• Cybersecurity costs do not all carry equal weight

• Generally, cybersecurity specific HW and SW are not cost drivers for the system

• Drivers include: • Systems Eng Labor (Establish Controls/Risk

Mgmt)• Initial and Recurring Cybersecurity Tests• Life Cycle Engineering Management:

• Continuous monitoring and threat analysis• Continuous validation of requirements

(confidentiality, availability and integrity) • High replacement rate for vulnerable

SW/HW

Cost Drivers

30


Identify Ground Rules and Assumptions

31

5


Obtain the data

32

6


Develop the point estimate and compare to bids

33

7


Conduct sensitivity

34

8


Conduct risk and uncertainty analysis

35

9


Document the estimate

36

10

Present estimate [and comparisons] to management

11

Update the estimate to reflect actual costs/changes12


90

85

80

75

70

65

60

55

50

45

40

IT Pros Cyber Cops Counter IT SecurIT

Confidence Level

Bidder


Summary

• Cybersecurity presents estimators with many challenges

• Estimators need to understand the many cybersecurity components and options

• The GAO Cost Estimating Guide is a comprehensive step-by-step process to create credible estimates

• Statistical models, cost driver databases, and estimating systems exist to make the task faster and easier

38


PRICE CustomersOver 300 customers, including: 10 US Federal Organizations8 Non-US Ministries of Defense4 Organization-wide licenses10 of top 10 Global Defense Contractors

Global Partnerships, including: Key resellers in Australia, China, Germany, Italy, Korea, Japan(TBD)

39

40

About PRICE • PRICE Systems (PRICE) is a leading expert and provider of cost estimation

solutions that maximizes the success rate of projects, programs and professionals. Since 1975, PRICE has provided federal agencies and commercial companies with superior estimates, process integration, powerful insights and cost models and exceptional customer support to enable confidence in estimation and the success of innovative projects and estimators worldwide.

For superior cost estimation solutions, contact us today.

About PRICE

Anthony A. DeMarcoPresident, PRICE Systems, L.L.C.

17000 Commerce Parkway - Suite AMt. Laurel, NJ 08054

856.608.7214 (Office)856.261.0908 (Mobile)

www.pricesystems.com

estimating the cost of cybersecurity - price systems · gao cost estimating guide the 12 steps 17...

Documents