Derek Brink

Derek Brink helps organizations to improve their security and compliance initiatives by researching, writing about and speaking about the people, processes and technologies that correspond most strongly with leading performance. In addition, he helps individuals to improve their critical thinking, leadership skills and communication skills by teaching graduate courses in information security at Brandeis University. Derek Brink joined Aberdeen in 2007 with more than 20 years of experience in high-tech strategy development and execution, corporate / business development, product management and product marketing, including positions at RSA Security, IBM, Sun Microsystems, and Hewlett-Packard. Derek earned an MBA with honors from the Harvard Business School and a BS in Applied Mathematics with highest honors from the Rochester Institute of Technology.

derek-brink--security-file-transferIn The Business Case for Managed File Transfer – Part I, a back-of-the-envelope calculation based on the findings from Aberdeen’s research showed the following advantage for companies that use managed file transfer (MFT) solutions, compared to companies that don’t:

Performance Metrics (average over the last 12 months)

MFT
Users

MFT
Non-Users

MFT Advantage

Errors / exceptions / problems,
as a percentage of the total annual volume of transfers

3.3%

4.5%

26%

Time to correct an identified error / exception / problem

81
minutes

387 minutes

4.8-times

Annual cost of lost productivity for senders, receivers, and responders affected by errors / exceptions / problems

$3,750

$23,975

6.4-times

It’s very tempting to simply stop the analysis here – how much more compelling a business case in favor of MFT does there need to be?

But think about this: when we work with averages in this way, there is by definition a 50% likelihood that the actual values will be higher than those that we used in our calculations, and a 50% likelihood that they will be lower. Said another way, there’s virtually no chance that our calculations will end up being precisely right.

When you really think about it, our previous analysis tells us almost nothing about the reduction in file transfer risks from using a MFT solution – remember that risk is defined as the likelihood of the issues, as well as the magnitude of the resulting business impact. If we aren’t talking about probabilities and magnitudes, we aren’t talking about risks! It should make us consider how useful to the decision-maker our previous analysis really is.

The solution to this problem is to apply a proven, widely-used approach to risk modeling called Monte Carlo simulation. In a nutshell, we can carry out the computations for many (say, a thousand, or ten thousand) scenarios, each of which uses a random value from our range of informed estimates, as opposed to using single, static values. The results of these computations are likewise not a single, static number; the output is also a range and distribution, from which we can readily describe both probabilities and magnitudes – that is, risk – exactly what we are looking for!

Applying this approach to the assumptions used in Part I – feel free to go back and refresh your memory – results in the following:

INPUTS

Lower Bound

Upper Bound

Mean

Units

Distribution

Annual volume of file transfers

1,000

1,000

1,000

transfers

n/a

Number of errors, exceptions, or problems as a % of annual volume
MFT non-users

1.0%

8.0%

4.5%

issues / 1,000 transfers / year

normal

MFT users

0.0%

8.0%

4.0%

issues / 1,000 transfers / year

triangular

Time to respond, remediate, and recover
MFT non-users

0.083

13.0

6.54

hours

normal

MFT users

0.083

3.0

1.54

hours

uniform

Number of working hours per employee per year

2,080

2,080

2,080

hours / employee / year

n/a

Cost of lost productivity for users
Number of users affected by issues

2

2

2

employees

n/a

Fully-loaded cost per user per year

$50,000

$250,000

$150,000

$ / employee / year

triangular

% of user productivity lost during time to respond, remediate, recover

10%

60%

35%

% of downtime

normal

Cost of responders
Fully-loaded cost per responder per year

$50,000

$150,000

$100,000

$ / employee / year

normal

% of responder productivity lost during time to respond, remediate, recover

100%

100%

100%

% of downtime

n/a

Using a Monte Carlo model to carry out exactly the same calculations as before – only this time over 10,000 independent iterations – yields the following comparison of MFT users and MFT non-users:

derek brink companies using MFT

It can be a little tricky at first to read this chart, so I have tried to summarize some of the information it provides in the following table:

For every 1,000 annual file transfers, there is a(n)

MFT Non-Users

MFT Users

MFT Advantage

80% probability of the annual cost being greater than

$7,000

$600

91%

50% probability of the annual cost being greater than

$20,500

$2,250

89%

20% probability of the annual cost being greater than

$41,500

$6,000

86%

Note that at the 50% likelihood level, these values are similar (but lower) than those from our previous, back-of-the-envelope approach – this is because the Monte Carlo model uses a more accurate, non-symmetrical distribution (i.e., a triangular distribution) for the fully-loaded cost of senders and receivers. This reflects the reality that the majority of enterprise end-users are at the lower end of the pay scale, while still accommodating the fact that incidents will sometimes happen to the most highly-paid individuals. This is yet another reason why we should think more carefully about using simple means (averages) in our analysis!   Taken as-is, we can use this information to advise our business decision-makers using risk-based statements such as the following:

  • For every 1,000 file transfers, we estimate with 80% certainty that the annual business impact will fall between $2,000 and $56,000 for MFT non-users … and that it will fall between $500 and $8,500 for MFT users
  • For MFT non-users, we estimate an 80% likelihood that the annual business impact will be less than $41,500 … but for MFT users, there’s an 80% likelihood that it will be less than $6,000

Remember that my comments from the previous blog still apply: this analysis incorporates some, but not all, of the associated costs – so the actual risk is understated. But if this wasn’t already a sufficient business case for a MFT solution, we could easily go ahead and estimate additional costs related to errors, exceptions, and problems with file transfers, such as loss of current / future revenue, loss or exposure of sensitive data, and repercussions of non-compliance. I haven’t attempted to model these costs here, but it seems clear enough that if we did then the gap between MFT users and MFT non-users would grow even wider.

Remember also, these calculations were done on a volume of 1,000 file transfers per year – you can easily scale these up to reflect your own environment. It’s pretty easy to see that it doesn’t take very much volume to justify the cost of implementing and supporting an MFT solution. (In fact you might even save in operational costs, from the benefits of having a more uniform and efficient file transfer “platform”.)   The essential point is that we can use these proven, widely used tools to help to make better-informed decisions about file transfers that are based on our organization’s appetite for risk. As security professionals, this means that we will have done our job – and in a way that’s actually useful to the business decision-maker.

You also may be interested in the Aberdeen White Paper with this underlying research “From Chaos to Control: Creating a Mature File Transfer Process,” as well as these audio highlights from a recent webinar on this same topic of quantifying the benefits of Managed File Transfer.

derek-brink--security-file-transferIn a webinar I participated in recently with Ipswitch File Transfer I shared the following from an analysis and comparison of companies that use managed file transfer (MFT) solutions, and companies that don’t:
Performance Metrics
(last 12 month avg.)

MFT
Users

MFT
Non-Users

MFT Advantage

Errors / exceptions / problems,
as a percentage of the
total annual volume of transfers

3.3%

4.5%

26%

Time to correct an identified
error / exception / problem

81
minutes

387 minutes

4.8-times

The comparison is easy enough to understand: MFT users experienced 26% fewer errors, exceptions, and problems as a percentage of the total annual volume of transfers, and they were 4.8-times faster to get going again when an error, exception, or problem did occur.

This is nice information to have for marketing purposes, but what does it really mean for the business?

A couple of quick, back-of-the-envelope calculations based on these findings shed some interesting light on this question:

  • Let’s base our analysis on an annual volume of 1,000 file transfers. This makes it easy for you to personalize for your own particular environment – for example, if your annual volume is 10,000 transfers, you can simply multiple these results by 10.
  • Let’s assume that the average percentage of errors, exceptions, and problems is as shown above
  • Likewise, let’s assume that the average time to correct errors, exceptions, and problems is as shown above
  • A simple computation leads us to the following:
    • 1,000 transfers * 3.3% * 81 minutes = 2,711 minutes lost per year for MFT users
    • 1,000 transfers * 4.5% * 387 minutes = 17,331 minutes lost per year for MFT non-users

Now, let’s think about the cost of that lost time. In a person-to-person scenario, there are at least two people affected – and arguably three:

• The sender of the file loses at least some of their productivity
• The receiver of the file loses at least some of their productivity
• In addition, the issue may require the involvement of an additional person to help respond, remediate, and recover – and this responder loses all of their productivity

For the sake of this back-of-the-envelope calculation, let’s further assume:

  • The fully-loaded cost per person is $50 per hour
  • Both sender and receiver lose one-third of their respective productivity for the time the issue remains uncorrected (e.g., they can still do other work)
  • The responder, however, loses 100% of their productivity for the time the issue remains uncorrected
  • A simple calculation leads us to the following:
    • 2,711 minutes * 1 hour / 60 minutes * $50 / hour * (1/3 + 1/3 + 1) = $3,750 lost per year for MFT users
    • 17,331 minutes * 1 hour / 60 minutes * $50 / hour * (1/3 + 1/3 + 1) = $23,975 lost per year for MFT non-users

This is a 6.4-times advantage for MFT users, for the cost of lost productivity alone!

If this wasn’t already a sufficient business case for a MFT solution, we could also estimate additional costs related to errors, exceptions, and problems with file transfers, such as:

  • Opportunity costs
    • Loss of current revenue
    • Loss of future revenue
    • Inability to carry out the organization’s mission
  • Costs associated with the loss or exposure of sensitive data
  • Costs associated with non-compliance

I won’t attempt to quantify these costs here, but it seems clear enough that if we did then the gap between MFT users and MFT non-users would grow even wider – e.g., Aberdeen’s research confirmed that compared to MFT non-users, MFT users had fewer security incidents (e.g., data loss or exposure), fewer non-compliance incidents (e.g., audit deficiencies), fewer errors and exceptions, and fewer calls and complaints. As if we needed any more convincing.

Remember, these calculations were done on a volume of 1,000 file transfers per year – you can easily scale these up to reflect your own environment. It’s pretty easy to see that it doesn’t take very much volume to justify the cost of implementing and supporting an MFT solution. (In fact you might even save in operational costs, from the benefits of having a more uniform and efficient file transfer “platform”.)

Another thing we might want to do with Aberdeen’s research findings is to show how MFT users have actually reduced their risk compared to that of MFT non-users – using the proper definition of risk, which has to do with the probability of an error, exception, or problem and the magnitude of the corresponding business impact. The results of that more sophisticated analysis would not be a single, static number (such as the ones we derived above), but a more realistic range of values that would support making business decisions about file transfer based on the organization’s appetite for risk.

In my next post I will dig deeper into the business case for MFT by using a proven, widely-used approach to risk modeling called Monte Carlo simulation.

You also may be interested in the Aberdeen White Paper with this underlying research “From Chaos to Control: Creating a Mature File Transfer Process,” as well as these audio highlights from a recent webinar on this same topic of quantifying the benefits of Managed File Transfer.