Cost Benefit Assessment
Start course

This course is one of four courses covering Domain 1 of the CSSLP. This course explores the topic of risk management.

Learning Objectives

The objectives of this course are to provide you with an understanding of:

  • Risk management problem space and management flow

  • Definitions, terminology, and types of risks

  • Control Categories and Functions

  • Cost-Benefit Assessment

  • General Risk Assessment Model

  • Overall Control Objectives

Intended Audience

This course is designed for those looking to take the Certified Secure Software Lifecycle Professional (CSSLP)​ certification.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Now all of this works towards eventual cost benefit assessment. This is a typical calculation that we do in business for many different cases when it comes to making a determination about a step or product purchase. So we're going to use the annualized loss expectancy value that we have generated against the threats and compare it to the expected cost of the potential loss.

So in an example, if a server is worth $10,000 and one suggested security safeguard would cost the company 12, for that one server. This of course would be discouraged because it is not cost-effective, spending more than the asset itself is worth is rarely considered to be a wise move.

Now, there are many variables that will go into this, not just simply the cost. For one thing, we have to consider the tangible and intangible values such as value contribution by this particular asset to other processes and products. In such cases, we have to think about the direct secondary impacts that will be produced by taking this server out of operation. And instead of direct replacement cost what we might consider also, if this is your organization's practice, the cost of computational equivalent for this IT asset and use that instead of a direct cost replacement.

Overall, what we're trying to do is put together a cost justification for taking a proposed course of action. And this calculation is one as I mentioned, that businesses use all the time. And we should use the same decision logic if we want to get one of our mitigation recommendations considered and then implemented. Part of this calculation will be the calculation of the worth or value of a security control, whatever it might be.

First, we start with our effectiveness premise, operationally that it actually solves a real problem and produces a material risk reduction. And then from an economic perspective, that these are cost-effective as we just discussed. We also have to think about other things which you might consider to be soft.

Organizationally, the control achieves the goal and enables business success without undue or unacceptable impediment. Something that very much flies in the face of the common perception that security tends to intervene and impede proper productivity. So we use the formula, the ALE pre-implementation and the total loss potential from that we subtract the ALE, post-implementation and residual loss potential, and then add back the annual control TCO. And this gives us the economic value add of the control itself.

Now the EVA, economic value add of the control, is part of what we consider when we compare the cost to protect versus the cost of loss or compromise. This is the basis for the cost benefit analysis for the particular security control when we think about the operational effectiveness and the ultimate financial cost effectiveness, which you'd like to think of as most bang for the buck. But the caution is this is not purely lowest cost. This is one factor in calculating the EVA of the given control.

Now, as I've said before, all of these values must represent lifecycle total cost of ownership because each asset is considered that way on the books. And we should evaluate the security scenario and the controls that we're going to consider on the same basis. Otherwise, we will get a mismatch in value contribution or losses.

Now the cost to protect equates to the cost of the candidate control to be implemented. The cost of loss equates to the value of the asset at risk, if it is lost, or if it's compromised in its operation. Now there are three typical outcomes of this. The first one, if the cost to protect is less than the cost of loss or compromise, as you see in the formula there. The result here shows that it is less expensive to use a control than risk the loss of the asset.

Now, this does not indicate that compliance or similar requirements are considered, but bear in mind that through all of these, those factors have to be considered in all cases. Now, the outcome from this cost to protect is less than the cost of compromise. It shows that this is financially validating the decision to actively mitigate the risks to the asset through some means.

The next case is when the cost to protect is greater than the cost of loss or compromise. In this particular case, the result shows that it is more expensive to use the control than to risk the loss of the asset. Once again, we have to consider secondary concerns such as compliance or the value contribution or necessity of the asset in question to any process or product. Assuming that all of those things are considered, and we still come up with this particular result. This result financially validates the decision to accept the risk for the loss of this asset.

Now, having said that we are accepting the risk here, here's the caution to consider. Accepting risk does not by its term mean that we are doing nothing, doing nothing is considered to be by most regulations negligent. And that is not what acceptance of the risk means. Now, if we find in our calculations that the cost to protect is approximately equal to the cost of loss or compromise. What this result shows is that it is no more expensive to use a control than to lose the asset, which means we're faced with a decision that will probably be made on the basis of secondary considerations rather than simply considering the cost to protect versus the cost of loss as a simple monolithic number. So this decision to mitigate or accept the risk will be based on criteria other than cost alone.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.