Hidden costs of passwords

Security Strategies This newsletter is sponsored by Credant Video: Majority Say iPods are a Security Risk In a recent survey hundreds of IT executives were asked how they view and use portable storage and media devices. And they were also asked how they protect their corporate data from these potentially troubling devices. Watch this video to get an understanding of how people are thinking about this threat. Network World's Security Strategies Newsletter, 10/18/07 Hidden costs of passwords By M. E. Kabay Many users who focus on their individual experience and needs rather than on corporate security management think that passwords are free. Indeed, password functions come with our operating systems and much of our software; we don’t have to pay anything extra to buy this form of authentication. However, both common sense and research findings support the view that authenticating identity using passwords is a significant expense for organizations. The major issue is forgotten passwords. Users who lose track of their passwords may have access to an automated password-resetting process, in which case costs may be modest. For example, it is possible to set up a one-way encrypted database of personal information questions and answers and have the user answer a number of these to authenticate to the system. One example is the M-Tech Identity Management Suite, which provides precisely this functionality (among others) to avoid help-desk involvement in password resets. Even this process has a modest cost that depends on the cost per minute of salary and extended costs (relating to costs of facilities, supplies, services and their financing) for the forgetful employee’s time. I’ve always been told to estimate extended costs at around 50%, so someone earning $80,000 a year (for 2,000 hours of work) might be costing the employer around $1/minute. You can do the rest of the math. Webcast: Get the latest on NAC Learn the latest on Network Access Control in Network World's Perspectives Editorial Webcast. Discover how IT professionals can leverage this hot security technology in their networks, while also learning about key management areas that have not yet been perfected. To learn more click here. The cost grows if the help desk gets involved, especially if there’s a lag in responding to the emergency call. In addition to the cost of the help desk personnel’s time (which one can either include or discount as being paid anyway, depending on the point of view), the big cost begins to be the ticking clock as the locked-out user waits for a reply. For the $1/minute employee mentioned above, a five-minute wait twiddling her fingers amounts to $5 of wasted costs - but a half-hour delay is $30. Do you ever have to wait half an hour for a callback from the help desk? Multiply the lost passwords by the number of employees and the average number of times people forget their passwords and you can see that the costs begin to rise significantly. At some point, tokens and biometrics begin to seem less expensive, comparatively, than they seemed at first glance. In a 2005 article, Lisa Phifer writes, “According to Burton Group and Gartner studies, password resets represent 30% of all help desk calls. The META Group estimates that each help desk call costs $25.” In a white paper by RSA (makers of cryptographic tokens, remember), the authors claim that for a 1,000-user organization, the total cost of ownership over the first three years is around $673,000 or $673 per user. About 98% of that depressing expense is due to management costs. Similar calculations are shown in a Cost of Ownership document from RoboForm. The makers of this single-sign-on software estimate cost savings of about $417 per user in the first three years for a 1,000-user organization through reduction of lost-password calls. Avatier, maker of the Avatier Password Station, has placed an ROI Calculator for its product on the Web. It allows you to entire the number of employees, the number of help-desk calls per user per month, the duration of help-desk calls, the hourly costs of both help-desk staff and callers, the percentage of help-desk calls relating to password reset (30% on average, according to Gartner Group) and the percentage of users who will use their product. The calculator shows the ROI in months, total cost savings in year one and total cost savings by the end of the third year. I suggest that you take the time to examine the resources above and others you can find online. And the next time some innocent challenges you about how “free” passwords are, you can discuss the issue with a more realistic perspective than they bring to the table. [MANDATORY DISCLAIMER: I have no financial relationships whatever with any of the companies mentioned in this article.]   What do you think? Post a comment on this newsletter

MOST-READ STORIES: 1. Cisco offices raided, execs arrested in Brazil 2. Swearing at work is a good thing 3. Noncertified IT pros earn more 4. Funniest Microsoft videos on YouTube 5. Top 10 strategic technologies for 2008 6. Security companies to watch 7. Cisco buyout rumor mill focused on WiMAX 8. Salary survey: IT pay falls short 9. Could you be an Internet researcher? 10. Price drop puts Level 3 in CDN spotlight MOST-VIEWED VIDEO: Cool Tools: Charging devices on the go

Contact the author: M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by Credant Video: Majority Say iPods are a Security Risk In a recent survey hundreds of IT executives were asked how they view and use portable storage and media devices. And they were also asked how they protect their corporate data from these potentially troubling devices. Watch this video to get an understanding of how people are thinking about this threat. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007