Cost Tracking
CFTR enables security teams to calculate the cost incurred to an organization due to an incident. Incident managers can calculate the overall business expenses for an incident based on the values such as cost incurred due to application downtime, cost of email notifications to all impacted customers, brand rebuilding cost, hardware replacement cost, software licensing cost, and cost incurred for patching the exploited application. Also, incident managers can calculate the cost based on actions linked to the incident and time taken by analysts to close the actions throughout the incident response process.
The Cost Tracking tab displays the following costing information of an incident:
Total Cost: The total cost incurred due to the incident.
Cost by Incident Phase: The total cost of the incident response and the breakdown by various phases of the incident response lifecycle.
Cost by Action: The total cost of resolving the actions that are linked to the incident and the breakdown by the number of actions.
Other Costing: The total cost of the activities that are indirectly related to the incident and the breakdown.
Note
The costing details, such as currency, hourly rate for the analysts, and other costings, is configured by your CFTR admin in the Configurations page.
How does the cost tracking feature help?
Evaluating the overall cost incurred by an incident allows incident managers to measure the potential cost of attacks and better understand the risk posed by them and subsequently helps organizations to revamp and make better security investment decisions.
Discovering the cost of specific targeted attacks helps incident managers to know how their organization has sustained against attacks and paves way for enabling benchmarking.
Enables cost-benefit analysis of security strategies.
Executives can gain insights into the key areas such as information security, risk assessment, and financial assessment.
Cost Calculation Schema
The new schema calculates the overall Incident cost based on the following criteria:
Time spent by every security analyst who was part of the incident response lifecycle will be calculated based on their individual hourly rate.
Time spent by every security analyst who was involved in the closure of the linked actions will be calculated based on their individual hourly rate.
Custom expenses based on requirements can be included in the Other Costing section which are added to the overall cost.
Cost Calculation Example
Incident cost is evaluated for every response phase of an incident. The following table provides an example of cost evaluation for an incident.
Cost by Incident Phase
Incident Phase | Analyst Time Spent | Analyst Hourly Rate | Calculation (Time Spent*Hourly Rate) | Cost |
---|---|---|---|---|
Detection Analysis | Analyst 1 - 1hr Analyst 2 - 1hr | Analyst 1 - $10 Analyst 2 - $15 | Analyst 1 - $10 Analyst 2 - $15 | $25 |
Analyst 3 - 2hrs | Analyst 3 - $30 | Analyst 3 - $60 | $60 | |
Investigation and Eradication | Analyst 4 - 2hrs Analyst 5 - 2hrs | Analyst 4 - $25 Analyst 5 - $25 | Analyst 4 - $50 Analyst 5 - $50 | $100 |
Recovery | Analyst 4 - 1hr Analyst 5 - 2hrs | Analyst 4 - $25 Analyst 5 - $25 | Analyst 4 - $25 Analyst 5 - $50 | $75 |
Closure | Analyst 6 - 1hr | Analyst 6 - $30 | Analyst 6 - $30 | $30 |
Total Cost by incident phases = $290
Cost by Incident Actions
Actions Assigned | Analyst Time Spent | Analyst Hourly Rate | Calculation (Time Spent*Hourly Rate) | Cost |
---|---|---|---|---|
Action1 | Analyst 1 - 1hr Analyst 2 - 1hr | Analyst 1 - $10 Analyst 2 - $15 | Analyst 1 - $10 Analyst 2 - $15 | $25 |
Action 3 | Analyst 3 - 2hrs | Analyst 3 - $30 | Analyst 3 - $60 | $60 |
Action 3 | Analyst 6 - 1hr | Analyst 6 - $30 | Analyst 6 - $30 | $30 |
Total cost of actions = $125
Other costing (application downtime, patching, and so on) for the incident = $100
Overall cost for the example incident = $515
Note
The cost for an incident phase is shown as $0 if an incident phase is in progress.