The Business Case for Managed File Transfer – Part II

Share this story:Tweet about this on Twitter3Share on LinkedIn4Share on Google+1Share on Facebook0

derek-brink--security-file-transferIn The Business Case for Managed File Transfer – Part I, a back-of-the-envelope calculation based on the findings from Aberdeen’s research showed the following advantage for companies that use managed file transfer (MFT) solutions, compared to companies that don’t:

Performance Metrics (average over the last 12 months)

MFT
Users

MFT
Non-Users

MFT Advantage

Errors / exceptions / problems,
as a percentage of the total annual volume of transfers

3.3%

4.5%

26%

Time to correct an identified error / exception / problem

81
minutes

387 minutes

4.8-times

Annual cost of lost productivity for senders, receivers, and responders affected by errors / exceptions / problems

$3,750

$23,975

6.4-times

It’s very tempting to simply stop the analysis here – how much more compelling a business case in favor of MFT does there need to be?

But think about this: when we work with averages in this way, there is by definition a 50% likelihood that the actual values will be higher than those that we used in our calculations, and a 50% likelihood that they will be lower. Said another way, there’s virtually no chance that our calculations will end up being precisely right.

When you really think about it, our previous analysis tells us almost nothing about the reduction in file transfer risks from using a MFT solution – remember that risk is defined as the likelihood of the issues, as well as the magnitude of the resulting business impact. If we aren’t talking about probabilities and magnitudes, we aren’t talking about risks! It should make us consider how useful to the decision-maker our previous analysis really is.

The solution to this problem is to apply a proven, widely-used approach to risk modeling called Monte Carlo simulation. In a nutshell, we can carry out the computations for many (say, a thousand, or ten thousand) scenarios, each of which uses a random value from our range of informed estimates, as opposed to using single, static values. The results of these computations are likewise not a single, static number; the output is also a range and distribution, from which we can readily describe both probabilities and magnitudes – that is, risk – exactly what we are looking for!

Applying this approach to the assumptions used in Part Ifeel free to go back and refresh your memory – results in the following:

INPUTS

Lower Bound

Upper Bound

Mean

Units

Distribution

Annual volume of file transfers

1,000

1,000

1,000

transfers

n/a

Number of errors, exceptions, or problems as a % of annual volume
MFT non-users

1.0%

8.0%

4.5%

issues / 1,000 transfers / year

normal

MFT users

0.0%

8.0%

4.0%

issues / 1,000 transfers / year

triangular

Time to respond, remediate, and recover
MFT non-users

0.083

13.0

6.54

hours

normal

MFT users

0.083

3.0

1.54

hours

uniform

Number of working hours per employee per year

2,080

2,080

2,080

hours / employee / year

n/a

Cost of lost productivity for users
Number of users affected by issues

2

2

2

employees

n/a

Fully-loaded cost per user per year

$50,000

$250,000

$150,000

$ / employee / year

triangular

% of user productivity lost during time to respond, remediate, recover

10%

60%

35%

% of downtime

normal

Cost of responders
Fully-loaded cost per responder per year

$50,000

$150,000

$100,000

$ / employee / year

normal

% of responder productivity lost during time to respond, remediate, recover

100%

100%

100%

% of downtime

n/a

Using a Monte Carlo model to carry out exactly the same calculations as before – only this time over 10,000 independent iterations – yields the following comparison of MFT users and MFT non-users:

derek brink companies using MFT

It can be a little tricky at first to read this chart, so I have tried to summarize some of the information it provides in the following table:

For every 1,000 annual file transfers, there is a(n)

MFT Non-Users

MFT Users

MFT Advantage

80% probability of the annual cost being greater than

$7,000

$600

91%

50% probability of the annual cost being greater than

$20,500

$2,250

89%

20% probability of the annual cost being greater than

$41,500

$6,000

86%

Note that at the 50% likelihood level, these values are similar (but lower) than those from our previous, back-of-the-envelope approach – this is because the Monte Carlo model uses a more accurate, non-symmetrical distribution (i.e., a triangular distribution) for the fully-loaded cost of senders and receivers. This reflects the reality that the majority of enterprise end-users are at the lower end of the pay scale, while still accommodating the fact that incidents will sometimes happen to the most highly-paid individuals. This is yet another reason why we should think more carefully about using simple means (averages) in our analysis!   Taken as-is, we can use this information to advise our business decision-makers using risk-based statements such as the following:

  • For every 1,000 file transfers, we estimate with 80% certainty that the annual business impact will fall between $2,000 and $56,000 for MFT non-users … and that it will fall between $500 and $8,500 for MFT users
  • For MFT non-users, we estimate an 80% likelihood that the annual business impact will be less than $41,500 … but for MFT users, there’s an 80% likelihood that it will be less than $6,000

Remember that my comments from the previous blog still apply: this analysis incorporates some, but not all, of the associated costs – so the actual risk is understated. But if this wasn’t already a sufficient business case for a MFT solution, we could easily go ahead and estimate additional costs related to errors, exceptions, and problems with file transfers, such as loss of current / future revenue, loss or exposure of sensitive data, and repercussions of non-compliance. I haven’t attempted to model these costs here, but it seems clear enough that if we did then the gap between MFT users and MFT non-users would grow even wider.

Remember also, these calculations were done on a volume of 1,000 file transfers per year – you can easily scale these up to reflect your own environment. It’s pretty easy to see that it doesn’t take very much volume to justify the cost of implementing and supporting an MFT solution. (In fact you might even save in operational costs, from the benefits of having a more uniform and efficient file transfer “platform”.)   The essential point is that we can use these proven, widely used tools to help to make better-informed decisions about file transfers that are based on our organization’s appetite for risk. As security professionals, this means that we will have done our job – and in a way that’s actually useful to the business decision-maker.

You also may be interested in the Aberdeen White Paper with this underlying research “From Chaos to Control: Creating a Mature File Transfer Process,” as well as these audio highlights from a recent webinar on this same topic of quantifying the benefits of Managed File Transfer.

This entry was posted in Compliance, Managed File Transfer, Reporting. Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

Leave a Reply

  • Subscribe to the Blog

  • Recent Posts

  • Derek Brink

    Derek Brink helps organizations to improve their security and compliance initiatives by researching, writing about and speaking about the people, processes and technologies that correspond most strongly with leading performance. In addition, he helps individuals to improve their critical thinking, leadership skills and communication skills by teaching graduate courses in information security at Brandeis University.

    Derek Brink joined Aberdeen in 2007 with more than 20 years of experience in high-tech strategy development and execution, corporate / business development, product management and product marketing, including positions at RSA Security, IBM, Sun Microsystems, and Hewlett-Packard. Derek earned an MBA with honors from the Harvard Business School and a BS in Applied Mathematics with highest honors from the Rochester Institute of Technology.