When should you perform a cost-benefit analysis?

Blog / When should you perform a cost-benefit analysis?

A cost-benefit analysis is important for every project no matter how small.

One tool often invoked to help keep organizations from making poor choices is the cost-benefit analysis, also know as a risk analysis. The idea is simple; instead of focusing mostly (or even sometimes exclusively) on the benefits of a proposed change, as we often do, a cost-benefit analysis forces managers and decision-makers to acknowledge the potential downsides as well. They’re intended to help an organization identify risks. There’s little doubt that changes proposed by your staff or other stakeholders are intended to help in some way, but it’s always best to have a holistic view of your IT that acknowledges both the benefits and risks of adopting new technologies or ways of doing things.

It’s not uncommon for TRINUS to receive a request to set up outside access to some internal resource. Plenty of software uses web-based interfaces, which makes configuring external access a relatively simple affair.

Whether or not you should, however, is another question. Because software not specifically designed to operate on the internet is therefore designed to operate on a local network, it’s important to remember that the efficacy of your network defenses will depend on whether an application is accessed through the internet or installed on a machine, and web-based services have been properly configured or customized to be used locally and offline.

The two essential questions any cost-benefit analysis should answer.

  1. What is the worst-case scenario if this resource is compromised?
  2. Are there any defenses enabled to prevent one?

That first question is most important to get right since it depends on your exact objective and situation. For example, let’s suppose you were interested in providing remote access to a sprinkler system. At first glance it might seem that the worst case scenario would be if hackers start spraying pedestrians and passers-by, or start watering your lawn on a rainy day, which are both risks most of us are likely willing to put up with for the convenience of automating lawn maintenance. That is, unless the sprinkler system in question is meant for internal or fire-suppression use, in which case the stakes are suddenly much higher, and the worst case scenario multiplies in both number and cost. Hackers turning on an internal sprinkler system would likely result in sizeable property and equipment damage, but should hackers instead deactivate your sprinklers entirely, the risks rise even more, up to and including the possible loss of life if a fire breaks out and isn’t suppressed.

Of course, potential problems, risks, and related costs change depending on the organization and service they provide. If the indie video game studio down the street leaves a hole in their defenses after changing out but not properly configuring new hardware, they might wind up with development and employee data locked up behind ransomware. Such a breach might even cause them to shutdown entirely, costing people their jobs in the process and just generally being a terrible situation.

That is, until you consider the worst case scenario for a water treatment plant being compromised, in which case an attacker tampering with chemical levels which could lead to people getting sick or dying, not to mention the sizeable lawsuits likely to follow.

Risks are an unavoidable part of doing business, but mitigating risk exposure with the judicious use of a cost-benefit analysis should be considered equally unavoidable, regardless of how small, simple, or seemingly beneficial a proposed change may be. There could be an alternative without the same risk profile, or maybe there’s not and the risks are just too great. Or maybe the upsides aren’t as plentiful and beneficial as expected. Regardless, there should always be enough time to stop and think about what the real potential impact of a change could be.

If you’d like help with your own cost-benefit analysis for a proposed upcoming project, or just to learn more about this useful business security tool, contact a TRINUS IT professional and we’ll be happy to help out with some stress-free IT.

This Shakespeare quote comes from The Tempest; “Ay, that I will; and I’ll be wise hereafter and seek for grace.”

 

Be kind to each other, courtesy your friendly neighbourhood cyber-man.

 

 

/Partners /Systems /Certifications

TRINUS is proud to partner with industry leaders for both hardware and software who reflect our values of reliability, professionalism and client-focused service.