When performing a CBA, the starting point is to identify the losses that are expected without the countermeasure in place and the losses that are expected after the countermeasure has been implemented. This calculation determines the projected benefits. The formula is:

Loss before countermeasure − Loss after countermeasure = Projected benefits

Next, the cost of the countermeasure is identified. The formula is:

Projected benefits − Cost of countermeasure = Countermeasure value

If the result is a positive value, the countermeasure provides cost benefits, whereas, if the cost of the countermeasure is more than the benefits, the countermeasure doesn’t provide cost benefits. If the values are close to each other, the return on investment (ROI) can be calculated. An ROI calculates the countermeasure’s value over its lifetime.

The most important part of this process is identifying the costs and benefits. The goal is to identify both tangible and intangible values. If the costs and benefits are not accurately identified, the CBA loses its value and may need to be redone.

A significant amount of time might be needed to complete an accurate CBA. Because of this time requirement, a CBA would not be performed on every possible recommended countermeasure. For example, if a skilled administrator can write a script to mitigate a risk, the countermeasure has almost zero cost. Therefore, performing a CBA wouldn’t be necessary. On the other hand, a failover cluster can be very expensive because servers must be added, which can require added facility costs to accommodate them.

CBA reports can be presented in any number of formats. However, creating the CBAs consistently, especially within the same project, is valuable. For example, two CBAs may need to be created for two countermeasures that will mitigate the same risk. The managers don’t want to purchase both countermeasures, so they determine which countermeasure will provide the greater benefit. If both CBAs are completed using the same methods and format, comparing the two and choosing the more valuable control is easier.

The following elements are commonly included in any CBA report for a countermeasure:

• Recommended countermeasure—The countermeasure is identified in as much detail as possible. For example, a risk assessment recommends a failover cluster. Details on the cluster might include the cost of the two matched servers and other failover cluster hardware and the cost of administrator training or the cost to outsource the installation of the failover cluster.
• Risk to be mitigated—Details of the threat/vulnerability pair that results in the risk are provided. The likelihood and impact of the threat is included if a threat matrix method was used to prioritize the risk. If the countermeasure is eliminating a vulnerability, an overview of how it does so is included. If the countermeasure is reducing a vulnerability, an estimate of the success is included. For example, if the countermeasure is expected to reduce incidents from 10 a year to 1 a year, that would be stated here.
• Annual projected benefits—Direct and indirect benefits are calculated as an annual monetary value. The benefits are determined by calculating losses with and without the control. For example, currently, a 25 percent chance of a service failing once a year exists. When it fails, it results in a loss of $20,000. A countermeasure can reduce this risk to zero. The loss without the countermeasure is $20,000 × .25, or $5,000, and the loss with the countermeasure is zero, which indicates that the projected benefits are $5,000 annually.
• Initial costs—The initial costs, which would include the purchase price and any indirect costs to implement the countermeasure, are stated here. Indirect costs include items such as training and the cost to modify the environment, which may include adding power capability, upgrading air-conditioning, or improving physical access countermeasures.
• Annual or recurring costs—Some countermeasures require ongoing costs to maintain them. For example, a proxy server could be used to block access to gambling sites. Manually identifying all the gambling sites and entering them into the proxy server is very time consuming. However, content filter companies maintain lists of sites in many categories, such as gambling sites. Instead of entering this information manually, organizations pay for the subscription services as an ongoing cost.
• A comparison of the costs and benefits—This is the primary purpose of the report. If the costs are less than the benefits, the countermeasure provides a benefit, whereas, if the costs are greater than the benefits, then the costs do not provide a benefit. If the results are close, an ROI can be calculated.
• Recommendation—The countermeasure is recommended only if it provides a benefit.