Cost of Implementation (Including Control Cost) for Risk Mitigation Plan

When highlighting cost, you may need to create a cost-benefit analysis (CBA). A CBA will help justify the cost of a control, especially when the control requires a considerable amount of funding. A considerable amount is subjective. $50,000 in one organization may be considerable, but not in another. However, the other part of justification is to show a reduction in loss due to a vulnerability being exploited. The cost of the control should not outweigh the amount of loss recovered (in dollars).

Additional Information.

There is no limit on the budget for recommended controls. However, your recommendations need to be realistic in regards to the size of the organization, their annual revenue, and the needs of the organization.

As an example, there are 50 production servers on-site between both locations. If we take an average cost of a server, around $15,000, multiplied by 50 equals $750,000 of capital wrapped up in just servers. For sake of the example, lets say the Klamath Falls location has no backup power solution. Many options exist to keep servers running when primary power services fall offline. Diesel / propane generators, battery backups, and Tesla Powerpacks are all examples of backup solutions. However, what is realistic for this small company?

A mix of controls is very typical and most realistic. In this example, you might develop a battery backup solution to keep all 50 servers running for five to 10 minutes, giving plenty of time for generators to startup and being producing electrical power. In your recommendations, you need to show loss due to downtime, cost of battery backups, cost a diesel generators, and any ongoing costs required to maintain the infrastructure. Again, this is just an example, but it should provide you a good idea of the amount of work needed to recommend mitigations, or controls.