NOTE: This is part one of a three part series on making the business case for using commercial threat modeling tools.
Anyone that’s been around the block software wise can tell you that as things start to really scale up, using free, open source software quickly becomes very expensive. And it’s no different when it comes to threat modeling.
If you need to build a threat model one time, of a fairly simple system, that doesn’t need updating, then by all means, go ahead and use a free, open source tool (or an Excel spreadsheet). It makes perfect sense. But that’s not indicative of most software systems today, especially those intended to be used in the enterprise.
On the other hand, if you have a cloud deployment or a CI/CD pipeline that is constantly changing and constantly having to adapt to new threats, then using open source tools for threat modeling quickly becomes labor intensive and therefore, expensive. But this is not unique to threat modeling.
There are a lot of commercial software tools that can save you time versus using open source. So, making the business case for investing in the proper tool isn’t even really that challenging. But with threat modeling, using open source can be even more expensive. There’s not just the increased cost due to the excess labor hours required, there’s also the cost of overlooking a meaningful threat.
The Cost of a Missed Threat
What is the cost of missing a threat which leads to a data breach? According to the 2020 annual Cost of Data Breach Report by IBM and the Ponemon Institute, $3.86 million is the average total cost. And this number is not skewed by a few, costly data breaches. According to the report, “To calculate the average cost of a data breach, this research excludes very small and very large breaches. Data breaches examined in the 2020 study ranged in size between 3,400 and 99,730 compromised records.”
How much money is that in relative terms? Using quick, back-of-the-napkin calculations, one average data breach would pay for five full-time software developers for five years. That’s some pretty expensive open source software if it misses a threat that leads to a data breach.
None of this takes into account the potential for a breach leading to ransomware. From CSO Online, “According to The State of Ransomware 2020 report from Sophos, paying the ransom in any ransomware increases the overall cost of the attack. The report claims the global average to remediate a successful ransomware attack is $733,000 for organizations that don’t pay the ransom, rising to $1,448,00 for organizations that do pay.” That’s more developers for more years.
When it comes to avoiding data breaches, there’s almost no price too high to pay for a tool that identifies the pertinent threats and empowers you to mitigate them. And therefore, when it comes to choosing a threat modeling solution, the only important consideration is does it keep you safe?
In part two of the series we calculate hour/dollar savings estimates when using commercial threat modeling tools, compared to open source, for different numbers and sizes of projects.