SQUARE Project: Cost/Benefit Analysis Framework for Information ...
SQUARE Project: Cost/Benefit Analysis Framework for Information ...
SQUARE Project: Cost/Benefit Analysis Framework for Information ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
When security solutions are highly effective (i.e., Bypass Rate is small), the gap between the<br />
two Total System Values will be small; otherwise the gap will be large. The gap between the<br />
two Total System Values represents the costs of the Residual Risks that the project’s available<br />
security solutions cannot mitigate. In order to reduce the Residual <strong>Cost</strong>s, the Acme Company<br />
needs to consider implementing medium- and low-priority recommendations.<br />
Values vs. Risk Exposures<br />
$40,000<br />
$20,000<br />
A1<br />
PS<br />
CS<br />
$0<br />
0.00% 20.00% 40.00% 60.00% 80.00% 100.00% 120.00%<br />
($20,000)<br />
PS<br />
A1<br />
"Total System Value"<br />
($40,000)<br />
($60,000)<br />
($80,000)<br />
($100,000)<br />
($120,000)<br />
($140,000)<br />
($160,000)<br />
A2<br />
CS<br />
Legend<br />
"Net Present Value of<br />
<strong>Project</strong>"<br />
Total System Value w/o<br />
Residual <strong>Cost</strong>s<br />
Proposed System<br />
Alternative 1<br />
Alternative 2<br />
Current System<br />
($180,000)<br />
Risk Exposures<br />
Figure 5: Values vs. Risk Exposures<br />
22 CMU/SEI-2004-TN-045