Assessing the Costs and Benefits of Security Solutions

  • Article

The overall cost of a specific security solution includes the following:

  • Resources necessary to plan, design, test, and deploy the system you choose.

  • Resources necessary to administer and maintain the solution after deployment.

  • Resources necessary to educate users about the new system and teach them how to use the new technology.

  • Resources necessary to support users for the new technology (for example, the Help desk).

  • Lost user productivity that is a result of the restrictions that are imposed by the security system.

  • Increased load and reduced performance of computers and networks that result from the increased load of cryptographic operations.

Assess the costs of security solutions to determine which ones provide reasonable security benefits at acceptable costs and performance for your organization. The cost to implement and maintain security systems by using Windows 2000 distributed security technologies can vary considerably and depends on your security goals and requirements. The two examples that follow illustrate this.

If you deploy smart cards to implement smart card network logon authentication, you also have to deploy a smart card program to enroll users and to support users who lose or leave their smart cards at home. The smart card security policies you choose affect the costs of the program significantly. If employees who misplace their smart cards cannot quickly and easily obtain temporary access to the network, they lose productivity. However, if you allow employees to log on to the network without smart cards, network security is reduced. The smart card program and policies you choose affect user support costs, employee productivity, and overall network security.

If you use secure Web communications to provide strong confidentiality for information about classified projects, you can deploy and manage certificate services to issue and maintain digital certificates for all project members who need to use the classified Web sites. The cost associated with this system includes the resources that are required for implementing and maintaining certificate services. In addition, high volumes of secure Web traffic place a heavy performance burden on Web server processors. Therefore, you might have to install expensive cryptographic accelerator boards in your Web servers to achieve acceptable Web performance. The overall cost varies according to the number of users whom you need to support and the volume of confidential communication that is handled by your organization. If you can realistically keep the amount of confidential Web communication to a low volume, the additional cost of cryptographic accelerators might not be necessary.