Net Present Value of Best Practices

Yesterday I was reading a book review of "The New School of Information Security" by Adam Shostack and Andrew Stewart. The review was written by Richard Bejtlich of taosecurity.com. There is a great quote in his in review: "...if you think anti-virus and a firewall are required simply because they are "best practices," you need to read The New School of Information Security (TNSOIS)."

This led me to question what a "best practice" is. It seems to me that a best practice is something that you do because it is so painfully obvious that everyone else is doing it. It seems that the argument that is made in TNSOIS is that you can put a financial value on having anti-virus and firewall in place.

I've already documented my opinions on the value of anti-virus software. To sum up, I believe that it is poor. However, I've never tried to run the numbers because I've only recently become aware of concepts like Net Present Value. I do believe in keeping my systems patched though. So I thought to myself, if keeping your systems patched is a best practice, meaning that it is obvious to anyone that it should be done, then I bet it has a high NPV. After all, if it had a negative NPV nobody would do it, and as the NPV approaches zero it becomes less and less attractive to put money into that project. If everyone is doing it then the NPV must be really high. I would bet that the same could be said for running a firewall. So I started to think about how to put a value on my firewall.

So I had to start thinking about what exactly my firewall does for me. In a nutshell, it prevents computers on the Internet from connecting to computers on my Internal network, except for those connections that I allow. This provides me the benefit of preventing a large amount of malware from infecting my computers. So I thought that one way to measure the value of a firewall is to look at how long it takes a computer to become infected with malware when there is no firewall in place. The thing is, patching also does some of this for me.

The SANs institute recently came out with a statistic that an unpatched Windows machine will be infected with malware 5 to 20 minutes after it is attached to the Internet. However, I wasn't entirely pleased with their methodology. They took the position that if a computer is scanned by some worm that is trying to propagate, then it would be immediately infected. So they took the average amount of time that exists between scans of a computer on the Internet. That seems alright, but I prefer the methodology used by the Honeynet Project. They actually placed simulated unpatched machines on the Internet and timed how long the machine stood up before it downloaded a binary. They found that it is about 16 hours. I'm going to use that number, and say that if I don't have a firewall in place, and if I don't patch my machines, I can expect that each computer is going to have to be reimaged every day.

Now that I know how often I'm going to have to reimage a computer, I need to know how much it costs to reimage a computer. I am going to estimate that it takes two hours of a technicians time to boot from the network and apply our image. During that time the employee that uses the machine is going to be unproductive, so the organization is out 4 hours of production. I'm also going to estimate that the total hourly expense of these employees is $50/hour (wages, vacation time, sick time, retirement contributions, social security contributions, staff to support them etc). So that means that it costs $200 to reimage a computer, and I'm going to reimage the computer every day.

So what is that worth to an organization that has 200 computers and considers a computer to have a five year useful life? About 66 million dollars! Damn! So the Net Present Value is going to be the Present Value (66 million) minus the initial investment. Do you believe that you can put in a firewall and patch your systems for less than 66 million dollars? I think even if you bought an awesome firewall like the Sidewinder, and you spent thousands of dollars putting in more bandwidth so all your computers could run Windows update regularly and you put in a Systems Management Server that helps keep everything else patched you would still spend less than the $863,724 that comes after the 66 million. So your Net Present Value is about $66 million.

I suggested that if something really is a "best practice" then it will have a very high NPV, and I think this example goes to prove that. The Present Value that I've calculated shows that a company should be willing to spend up to $66 million to avoid having to reimage their computers that often. Notice that I bolded the words "up to." I'm not saying that a company should spend that much money if they are able to put a firewall in place and keep their systems patched for less than that. You would hopefully present to management several options for patching and firewall purchases and work out the NPV of each option and management would select the one with the highest NPV.

This example that I gave is simple, but it is not perfect. For one thing, it doesn't take into consideration that even with a firewall in place and a good patching program some computers are still going to be infected because they slipped through the cracks. You might want to calculate the yearly savings from having a firewall and patching and reduce it by 10% to account for the residual risk. The other thing that I've found it that it is really difficult to separate the two. For example, I know that just having a firewall is not going to be as effective as having well patched machines and a firewall, but I don't know how much less effective. Having only a firewall would tremendously drop the number of remote exploits that get run on your machines, but it wont help you against web sites that your users visit that have exploit code running on them. Patching would help with the latter.

One methodology that comes to mind is to repeat the experiment done by Honeynet project from inside your firewall. If you were to put several unpatched machines inside your network how long would it take for them to download a binary. It would be more helpful if you have computers that are in use by employees so that you can get the effect of them visiting web pages and engaging in unsafe behavior as users are known to do. Let's say that the average time until infected jumps from 16 hours to 40 hours. Calculate the new present value and the difference will give you some idea of what your firewall is worth. It this perfect? No, but I think that it is better than saying "we need to have a firewall in place because it is a best practice."