ANALYTIC METHODS GREEN TEAM

15 May 2012 INTL 520 Mercyhurst University

Introduction

Page iii

ADVANCED ANALYTIC METHODS GREEN TEAM

Dean Atkins Leslie Guelcher David Krauza Puru Naidu Shawn Ruminski Emily Slegel Erie, PA

2012 Green Team, Erie, PA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means without written permission from the author.

Introduction

Page iii

Table of Contents CHAPTER 1: COST BENEFIT ANALYSIS

Description Strengths Weaknesses How-To Personal Application Bibliography

4
4 4 5 6 8 14

Advanced Analytics: Green Team Methods

page ii

This page intentionally left blank.

Introduction

Page iii

Chapter 1: Cost Benefit Analysis

Leslie Guelcher

Description
Cost-benefit analysis (CBA) is an analytic modifier that attempts to determine if a project, course of action, or investment should be selected based on limited investible funds (Mishan & Quah, 2007, p. 3). The process entails quantifying both the costs and the benefits of a project. It can be used to reduce uncertainty. CBA is traditionally used in one of two settings: as an economic analysis to determine the social benefit of a public undertaking or as an accounting function for private enterprises to determine the opportunity costs for a set of projects or decisions (Mishan & Quah, 2007, p. 5). For economic problems, the cost of a proposal is weighed as societys cost while the benefits are regarded as social benefits to determine if a project will result in a net social benefit, where benefit cost = net value (Robinson, 1993, p. 924). At the firm level, the costs are the actual, or estimated, costs of the project to the firm alone. Similarly, the benefits are those accrued only to the firm within the framework of the project being examined (Sonnenreich, Albanese, & Stout, 2006, p. 55).

Strengths
Cost benefit analysis is simple to implement when using quantitative data. When conducting CBA using project costs and benefits that have set financial numbers attached to the project, it is a simple matter of inputting all costs and then associated benefits to derive a net value for the project.

Advanced Analytics: Green Team Methods

page 4

CBA reduces uncertainty. The process of listing all potential costs and quantifying the benefits allows an analyst to verify a project has considered the true costs of both inputs (costs) and outputs (benefits). Using brainstorming, expert testimony or other techniques to generate a list of costs and benefits aids the process. Examples of using CBA are plentiful. Because CBA has been used in both accounting and economics for decades, there are plenty of examples of academic articles, books, and downloadable spreadsheet templates to aid in preparing the analysis. Methods for determining costs and benefits are available. A myriad of journal articles and other publications exist that detail procedures for arriving at the costs and benefits for a specific project. For instance, in my application of CBA I found several articles that helped determine which factors to include as costs and benefits.

Weaknesses
Qualitative data can be manipulated. To work in CBA, qualitative data must be changed to quantitative data. Using a range for the data helps mitigate the bias that could permeate the analysis. Otherwise, it is easy to underestimate costs while overestimating benefits, which leads to faulty conclusions. CBA is not a stand-alone answer. When using qualitative data, other modifiers are needed in conjunction with CBA in order to transfer the ideas of qualitative to the numbers needed in quantitative.

page 5

Cost Benefit Analysis

How-To
1. Identify the project, course of action or investment to be analyzed. The project to be analyzed will usually be defined by decision-makers. It can be a question comparing two potential solutions or a singular investment that the analyst is tasked with determining its projected usefulness/benefit. 2. Choose appropriate modifiers. Additional modifiers should be used to effectively generate a complete list of benefits and costs. By using more than one modifier, the analyst can ensure as complete a list as possible is included in the CBA. Various modifier ideas can be found in Additional Resources. 3. Determine the costs and benefits to be analyzed. The analyst can begin listing costs and benefits from individual research using Google Scholar, Lexis-Nexis or other online sources for journal and technical articles/papers. The papers should give the analyst a starting point for determining what other information will be needed. From there, additional items can be added to the list from HUMINT (talking to experts), brainstorming, or other idea generating activities. 4. Build a spreadsheet. Using a program like Microsoft Excel, either build a spreadsheet from scratch or find a template online. A Google search for Cost Benefit filetype:xls should generate a number of already designed templates. The spreadsheet should include an area for listing all of the costs followed by all of the benefits. Each section (cost and benefit) should be autosummed to improve accuracy. 5. Determine the number to use for quantifiable data. Through researching costs and numerical benefits, an analyst can start building the items on the spreadsheet. If exact numbers are not available, then a range of costs/benefits should be used. Using Hubbards 90 percent confidence interval (Hubbard, 2010, pp. 55,
Advanced Analytics: Green Team Methods page 6

103), the analyst should identify the low and high ends for both costs and benefits. The low and high numbers should each be listed in its own column to provide a specific low total and high total for the analysis. 6. Change qualitative data to quantitative. For CBA to work, all data must be in the form of numbers. As such, any fuzzy items require conversion from ideas to numbers. Again, using Hubbards ideas for being creative when approaching items that might be considered unmeasurable can produce estimates that are close enough to e able to reduce uncertainty (Hubbard, How to Measure Anything, 2010, pp. 139176). 7. Input quantities. All costs and benefits need to have a quantity, or range of quantities, associated with it. Each item should be listed with what it is and what it costs. 8. Analyze the results. Add all costs together to obtain the total investment. Then, add all benefits together to get the total benefit. Subtract total investment from total benefit to get the net value. If the value is positive, you have a net benefit; if negative, a net cost.

page 7

Cost Benefit Analysis

Personal Application
1. Identify a project. The first step was to determine an area, industry or concept that may not have utilized CBA in the past. I identified small business cyber security spending as the area I would investigate. 2. Define terms. To narrow down the items to investigate, I first determined what cost-benefit analysis entailed. (This is reviewed in the Description section, using the perspective of one firm.) I defined small business as an organization with fewer than 50 employees. Cyber security was defined as any undesirable event that is a result of an attack against the information system of the business (Arora, Hall, Pinto, Ramsey, & Telang, 2004, p. 35). 3. Identify types of data. I next researched the types of incidents that are included in cyber security. I found information pertaining to measuring risk of intrusion, costs associated with hardware and software solutions, the maintenance (or update costs) needed for hardware and software, and the costs associated with monitoring installed solutions. To quantify the benefits, I associated the cost of computers being unusable for an hour/day/week against the number of incidents prevented because of the installation of security devices. To obtain this information, I spoke with industry experts who advice and sell security solutions to small businesses. As an example, a business with a firewall, anti-virus protection, anti-spam protection and updated hardware/software can expect next to no intrusions into their networks. However, by eliminating any one of the solutions, changes how at-risk the business is to intrusion.

Advanced Analytics: Green Team Methods

page 8

I decided to use the risk-based analysis because I could establish different risk levels for different types of business. I was then able to tailor the analysis based on business risk. I identified five levels that depended on the type of network and data that a business has on-site.
Risk Levels 1 No network, no client/customer data, no IP, no sensitive documents 2 Networked, with staff data, but no client, IP, or sensitive documents 3 Networked, with staff data plus either client OR IP, no sensitive documents 4 Networked, with either client OR IP AND staff data along with sensitive documents 5 Networked, with client and staff data, IP and sensitive documents

4. Quantify data. Because the benefit area consisted of qualitative data, I needed to find a way to measure it. By using information obtained from experts, journal articles and technical publications, I was able to identify 90 percent confidence interval for the benefits. I used the value of prevented incidents formula developed by Sonnenreich, et al to quantify risk exposure. The formula I used is: Risk exposure = ALE = SLE * ARO SLE = Single loss event ARO = Annual loss exposure To determine the cost of a SLE, I used industry data provided by the Computer Security Institute and the US Federal Bureau of Investigation. Again, I used low and high estimates when calculating the proposed benefit of prevented incidents.
Value of Prevented Incidents Cost of single security incident (SLE) Dollars Estimated annual rate of occurrence (ARO) Count Total annual loss exposure (ALE) 300 12 3,600 500 30 15,000

page 9

Cost Benefit Analysis

The other major qualitative measure was the savings to employee productivity. To determine the cost of loss
Monthly Productivity Savings Employees Reduced Hours/Month of non-Access Average Wage Total Monthly Productivity Savings Count Hours Dollars 10 5 55 2,750 30 10 55 16,500

productivity, I looked at an average number of incidents per organization based on the findings of CSI and the FBI. I then used the number of employees and the an average wage to determine the savings for reducing the number and length of down-time on a computer network. 5. Enter costs. The costs associated with any given set of security answers are more easily constructed. The areas identified included: Implementation planning, Contract labor, Internal implementation labor, Training costs, Opportunity costs, and Capital costs/equipment. The labor costs are entered for a specific entity. As an example:
Worksheet - Enter Values in Right Column

Internal Labor Cost/Hour IT Staff Cost/Hour Management Cost/Hour Other Staff Cost/Hour Average Wage External Labor Cost/Hour Expected life span Risk Level

Dollars Dollars Dollars Dollars Dollars Years Number

$ $ $ $ $

25.00 65.00 45.00 55.00 90.00 2 5

The items entered into the worksheet are then used to calculate labor and other costs based on the risk level of the business (the last item on the list).

Advanced Analytics: Green Team Methods

page 10

The risk levels each have associated costs and number of hours as they relate to each area identified above. The worksheet is designed to summarize all associated costs and benefits and then list the suggested hardware
Calculate Total Monthly Benefit Monthly Benefit Monthly Cost Total Monthly Benefit $ $ $

Low Est $ 6,545 $

7,750 1,205 3

High Est 26,750 13,581 13,169 3

Payback (Months)

solutions based on the risk level. As an example, the CBA for Level 5, using the data above computes to: The list of suggested hardware for the business includes: Modem Switch Firewall/Anti-spam Backup Document Management Monitoring Dashboard Internet Monitoring Each risk level has its own hardware suggestions and CBA analysis. 6. Analyze data. By adding risk analysis to the CBA, I was able to determine that a business with a low risk for intrusion, such as a mechanic with only one computer and no client personal data, could invest as little as $1,300 to secure its data infrastructure and the an additional $100 a month for on-going maintenance.

page 11

Cost Benefit Analysis

Meanwhile, a business with more risk such as a manufacturer only concerned with protecting intellectual property on its network, can invest from $9,000 in implementation costs and then $2,000 a month in on-going costs to $45,000 for implementation and $6,300 on-going.

Conclusion
The results of the cost-benefit analysis produced results that could be used to inform decisions; however, it did not produce results that are estimative. I needed to include risk analysis in order to obtain enough information to be able to draw conclusions about the optimum level a small business should invest.

Advanced Analytics: Green Team Methods

page 12

Additional Resources
http://www.techrepublic.com/downloads/a-project-managerscostbenefit-analysis/173615 http://www.compliancesforum.com/it-project-cost-benefit-andrisk-analysis-templates http://www.infotech.com/sem/costbenefit-analysistool?_kk=cost%20benefit&_kt=821b259e-18e5-49f19cb9-df22e94becc6&gclid=CM6g8aDda8CFSWFQAodGEgXDQ http://www.oit.umn.edu/project-management/projecttoolkit/index.htm www.pbis.org/common/cms/documents/NewTeam/.../costbene fit.xls www.dot.state.mn.us/transit/grants/.../Cost_Benefit_Wksht_4.x ls www.panopticinfo.com/docs/CostBenefitAnalysis.xls www.projects.ed.ac.uk/.../Full.../ProjectCostBenefitWorkbook. xls www.tc.faa.gov/acf/Cost_Benefit_Template1.xls

page 13

Cost Benefit Analysis

Bibliography
Arora, A., Hall, D., Pinto, C. A., Ramsey, D., & Telang, R. (2004). Measuring the Risk-Based Value of IT Security Solutions. IT Pro, 35-42. Hubbard, D. W. (2010). How to Measure Anything. Hoboken, CA: John Wiley & Sons. Hubbard, D. W. (2010). How to Measure Anything. Hoboken, CA: John Wiley & Sons, Inc. Mishan, E., & Quah, E. (2007). Cost Benefit Analysis. New York, CA: Taylor & Francis e-Library. Robinson, R. (1993). Economic Evaluation and Health Care: Cost-benefit analysis. BMJ, 924-926. Sonnenreich, W., Albanese, J., & Stout, B. (2006). Return on Security Investment (ROSI) - A Practical Quantative Model. Journal of Research and Practice in Information Technology, 55-66.

Advanced Analytics: Green Team Methods

page 14