The Total Economic Impact™ Of Mastercard’s RiskRecon Threat Protection Solution
Cost Savings And Business Benefits Enabled By RiskRecon Threat Protection
A Forrester Total Economic Impact™ Study Commissioned By Mastercard, April 2024
Configure Data
Switch between the study data and your organization’s custom data below. Answering the questions on the “Custom Data” tab will allow you to customize the analysis and estimate the potential impact of using RiskRecon Threat Protection at your organization.
Study Data
Learn More
To read Forrester's full analysis and customize the findings to your organization, please register below.
RiskRecon Threat Protection is a cybersecurity solution that helps organizations protect themselves against surface-level, web application, and distributed denial of service (DDoS) attacks, thereby reducing downtime, enabling security engineering efficiencies, increasing cross-organizational productivity, and improving net operating revenue.
The RiskRecon Threat Protection cloud-based platform, formerly known as Baffin Bay Networks, allows organizations to mitigate network and web-facing cyber risk and prevent a variety of cyberthreats, including malware, ransomware, and bot attacks. RiskRecon Threat Protection is also effective in combating DDoS attacks, which are attempts to overload network traffic and force systems offline, exposing infrastructure and application-layer vulnerabilities. With Threat Protection’s real-time threat intelligence, machine-learning algorithms, and web-application firewall, companies can monitor, detect, and intercept surface-level application and DDoS attacks swiftly no matter where their assets are stored (e.g., on premises, in the public or private cloud). This safeguards organizations against attacks that can lead to costly downtime, financial loss, and reputational damage.
Mastercard commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying RiskRecon Threat Protection.1 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Threat Protection on their organizations.
Return on investment (ROI)
211% 211%
Net present value (NPV)
$1.02M$1.02M
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed four representatives with experience using RiskRecon Threat Protection. For the purposes of this study, Forrester aggregated the interviewees’ experiences and combined the results into a single composite organization. This organization is a B2B e-commerce company that’s based in Europe but also has presence in North America. It generates annual revenues of $190 million and previously used a different cybersecurity solution.
has $0 in annual revenue, 0 employees, and a security engineering team of 0 FTEs. Custom results are based on your inputs and the TEI case study.
Interviewees said that prior to using Threat Protection, their organizations lacked adequate layer 3 and layer 7 protection as well as the necessary bandwidth to protect against a volumetric DDoS or an external web-application attack. Absent effective network and proxy-based security capabilities, the interviewees’ organizations experienced damaging cyberattacks that often originated in foreign countries. This led to unproductive downtime, lost revenue, and reputational damage.
With the investment in Threat Protection, the interviewees’ organizations gained access to a comprehensive, hybrid security tool that includes advanced layer 3 and layer 7 protection and offers web-application firewall capabilities to manage and prevent attacks, limit downtime, reduce associated damage, and increase team efficiencies.
Key Findings
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
- Increase in incremental net operating revenue due to improved uptime. By utilizing RiskRecon Threat Protection's comprehensive platform, the composite experiences improves uptime as it is protected against surface, DDoS, and web application attacks. This protection ensures that the composite has uninterrupted access to external-facing applications, which prevents any unnecessary downtime that could negatively impact the organization’s financial performance and reputation. As a result, the composite retains 1% of its revenue, which leads to a three-year, risk-adjusted present value of $510,300.
For , this benefit could be worth over three years.
- Efficiencies gained and productivity recaptured due to improved incident response times. With RiskRecon Threat Protection, the composite significantly reduces its attack detection, response, and remediation times, which extends considerable efficiencies across the security engineering team. Additionally, the composite reclaims productive hours from 90% of its remaining employee base due to the reduction in outages and network degradations caused by attacks. These realized efficiencies and reclaimed productivity have an impact of $833,500 over three years.
For , this benefit could be worth over three years.
- Efficiencies from meeting industry regulatory and compliance requirements. Because the composite’s e-commerce operations are complex, meeting regulatory and compliance requirements across Europe and the US necessitates strong cybersecurity measures, including DDoS protection throughout the organization’s infrastructure. Threat Protection enables the composite to reduce time dedicated to regulatory and compliance tasks by 50%, which represents efficiencies worth $167,500 over three years.
For , this benefit could be worth over three years.
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:
- Improved employee experience due to productivity gains. With the ability to maintain secure systems and streamline cybersecurity management and compliance tasks, the composite’s security engineering team realizes significant efficiency gains. This allows team members to communicate better, collaborate, and focus on higher-value strategic tasks.
- Enhanced customer experience due to fewer disruptions. With continuous monitoring and real-time threat management, RiskRecon Threat Protection helps the composite ensure the availability and reliability of external-facing web applications to its customers. By reducing disruptions and avoiding frustration and abandonment, the composite enhances its overall customer experience.
- More empowered security management due to self-service features that were previously unavailable to the organization. The self-service feature of RiskRecon Threat Protection provides the composite with enhanced control, flexibility, and real-time response capabilities that allow it to manage and customize its threat protection measures proactively and independently with an all-in-one solution. This empowers management to make more informed security decisions depending on evolving threats.
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
- RiskRecon Threat Protection subscription costs. The subscription cost of the RiskRecon Threat Protection platform is $165,900 per year for the composite, which results in a three-year, risk-adjusted present value of $474,500.
For , this cost could be over three years.
- Initial and ongoing costs. Initial costs for the composite organization include the allocation of internal resources for a low-touch implementation and initial training. Ongoing costs include dedicated time to manage the platform and relationship with RiskRecon. The composite’s initial and ongoing costs required for the adoption of Threat Protection total $11,600 over three years.
For , this cost could be over three years.
The representative interviews and financial analysis found that a composite organization experiences benefits of $1.5 million over three years versus costs of $486,000, adding up to a net present value (NPV) of $1 million and an ROI of 211%.
could experience benefits of over three years versus costs of , adding up to an NPV of and an ROI of 0%.
Increase in incremental net operating revenue
1%
“The pricing model of Threat Protection matches our own pricing model. So, it’s super easy for us to scale with Threat Protection, and we need that ability given what we do. And when we now experience attacks, it is very easy to work with the RiskRecon team to quickly address the issue and adjust our protection to make sure that we have the best setup we can have.”
Chief technology officer, gaming
Registration Required To Continue
COOKIE ACCEPTANCE IS REQUIRED TO REGISTER FOR ACCESS TO DIGITAL ASSET
Key Statistics
-
Return on investment (ROI)
211%211%
-
Benefits PV
$1.51M$1.51M
-
Net present value (NPV)
$1.02M$1.02M
-
Payback
6 months6 months
Benefits (Three-Year)
Increase in incremental net operating revenue due to improved uptime Efficiencies gained and productivity recaptured due to improved incident response times Efficiencies realized meeting industry regulatory and compliance requirementsTEI Framework And Methodology
From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in RiskRecon Threat Protection.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Threat Protection can have on an organization.
-
Due Diligence
Interviewed Mastercard stakeholders and Forrester analysts to gather data relative to RiskRecon Threat Protection.
-
Interviews
Interviewed four representatives at organizations using RiskRecon Threat Protection to obtain data about costs, benefits, and risks.
-
Composite Organization
Designed a composite organization based on characteristics of the interviewees’ organizations.
-
Financial Model Framework
Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
-
Case Study
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Disclosures
Readers should be aware of the following:
This study is commissioned by Mastercard and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in RiskRecon Threat Protection. For the interactive functionality using Configure Data/Custom Data, the intent is for the questions to solicit inputs specific to a prospect’s business. Forrester believes that this analysis is representative of what companies may achieve with RiskRecon Threat Protection based on the inputs provided and any assumptions made. Forrester does not endorse Mastercard or its offerings. Although great care has been taken to ensure the accuracy and completeness of this model, Mastercard and Forrester Research are unable to accept any legal responsibility for any actions taken on the basis of the information contained herein. The interactive tool is provided ‘AS IS,’ and Forrester and Mastercard make no warranties of any kind.
Mastercard reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
Mastercard provided the customer names for the interviews but did not participate in the interviews.
Consulting Team:
Rachel Ballard
Drivers leading to the Threat Protection investment
Interviews
| Role | Industry | Region | Number of employees |
|---|---|---|---|
| Chief technology officer | Gaming | Europe | 1,000 |
| Head of security operations | Insurance | Europe | 4,000 |
| Technical business developer | Transportation | Europe | 46 |
| Founder and engineer | Cloud services | Europe | 30 |
Key Challenges
Interviewees said that although their organizations’ security teams were previously equipped with cybersecurity solutions, they lacked the bandwidth and layer 7 security to protect their networks from volumetric DDoS attacks, which could shut down their networks for indeterminable amounts of time and lead to significant loss of employee productivity. Additionally, these solutions lacked web application firewall capabilities, which interviewees said allowed attackers to find and exploit system vulnerabilities. This resulted in frustrating downtime, customer abandonment, and loss of revenue and reputation for the interviewees’ organizations.
The interviewees noted how their organizations struggled with common challenges, including:
- Increase in different types of undetected, successful attacks. Lacking the required security features to combat the growing number of sophisticated bad actors, the interviewees’ organizations exposed themselves to unnecessary vulnerabilities and experienced the consequences of an increasing number of costly and serious bot, ransomware, DDoS, and web application attacks.
- Loss of customer confidence and reputation. Interviewees said that without sufficient application firewall protection, their organizations experienced sales channel application downtime that impacted customer experience considerably, causing reputational damage and loss of customer confidence and retention.
- Loss of sales revenue. Interviewees said that as cyberattacks on the network layer and front-facing web applications became more frequent, they not only created a negative impact on their organizations’ customers, but they also resulted in a significant loss of sales revenue for their organizations. For example, a sales application being down for multiple hours can translate into a considerable financial loss. Interviewees said they feared these attacks and outages would continue to occur unless their organizations were able to detect network and application vulnerabilities and implement appropriate security measures to prevent them.
Solution Requirements/Investment Objectives
The interviewees’ organizations searched for a solution that could help them:
- Realize efficiencies through improved detection, response, and remediation times.
- Achieve resource cost savings in compliance and regulatory tasks.
- Regain productivity and recapture revenue due to fewer outages and systems degradations.
- Scale with regional, partner, and end-user growth.
“Before we adopted Threat Protection, we had an application attack originating in another country. It impacted multiple sales channels that were down for 24 hours. It was a huge financial loss, and there was a lot of bad will — especially as we’re a public company. On top of that, we received a lot of bad press.”
Technical business developer, transportation
“We sought a solution that could protect us and our customers from volumetric DDoS attacks and have all network traffic go through the RiskRecon threat protection centers at all times.”
Founder and engineer, cloud services
Composite Organization
Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the four interviewees, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:
Description of composite. The European B2B e-commerce organization has a significant presence in the US and global operations and distribution. The organization has a strong reputation with its B2B business partners, annual revenue of $190 million, an end-user base of 2 million, 1,000 employees, and a security engineering team of five FTEs.
Description of . has $0 in annual revenue, 0 employees, and a security engineering team of 0 FTEs.
Deployment characteristics. The composite organization replaces another cybersecurity solution with RiskRecon Threat Protection. This decision is made primarily due to the added DDoS protection and robust application firewall features offered by Threat Protection. The composite’s objective is to identify and eliminate vulnerabilities in real time, respond to a wide range of attacks, and avoid excessive response and remediation times that can lead to lost internal productivity and revenue loss.
Key Assumptions
- European B2B e-commerce organization
- Operates in Europe and the US
- 1,000 employees
- $190,000 annual revenue
- End-user base of 2 million
- Security engineering team of five FTEs
Interview Spotlight: Chief Technology Officer, Gaming
“We were using a solution that only offered layer 3 protection, and I was looking for something that could provide both layer 3 and layer 7 protection … and has both network-based protection and proxy-based protection. Our previous solution only provided network-based protection. For the proxy-based protection, I was interested in RiskRecon Threat Protection because they were doing some interesting things in relation to machine learning and disrupting how the layer 7 protection was being done. Given our industry, any kind of attack can mean millions of dollars in bets, and that is something neither we nor our customers can afford.”
Quantified benefit data as applied to the composite
Total Benefits
| Ref. | Benefit | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|
| Atr | Increase in incremental net operating revenue due to improved uptime | $205,200 $205,200 | $205,200 $205,200 | $205,200 $205,200 | $615,600 $615,600 | $510,302 $510,302 |
| Btr | Efficiencies gained, and productivity recaptured due to improved incident response times | $335,152 $335,152 | $335,152 $335,152 | $335,152 $335,152 | $1,005,455 $1,005,455 | $833,472 $833,472 |
| Ctr | Efficiencies realized meeting industry regulatory and compliance requirements | $66,960 $66,960 | $66,960 $66,960 | $66,960 $66,960 | $200,880 $200,880 | $166,520 $166,520 |
| Total benefits (risk-adjusted) | $607,312 $607,312 | $607,312 $607,312 | $607,312 $607,312 | $1,821,935 $1,821,935 | $1,510,294 $1,510,294 | |
Increase In Incremental Net Operating Revenue Due To Improved Uptime
Evidence and data. Interviewees noted that their organizations’ customers noticed an improvement in accessing sales channels due to the measures the organizations put in place with Threat Protection to mitigate attack-based disruptions on external-facing web applications. They said this led to more consistent and reliable experiences for customers when completing purchases. Previously, these disruptions had a direct impact on revenue generation because sales failed to convert during outages. Moreover, dissatisfied customers were more likely to switch to competitors offering similar services or products.
- The technical business developer at a transportation provider said hostile actors were increasingly looking to disrupt or even halt public services in Europe. Before adopting RiskRecon Threat Protection, this transportation service suffered a web application attack that caused a financial loss of a full day’s sales revenue.
- The same interviewee stated: “After deploying Threat Protection, we have experienced zero successful attacks of any kind. We hear attackers knocking on the firewall, but no one enters. That’s very meaningful to us in a financial way.”
Modeling and assumptions. For the financial model, Forrester assumes the following about the composite organization:
- The composite organization generates $190 million in annual revenue.
- With added threat protection across its ecosystem, the composite organization retains 1% of revenue due to a reduction in web-facing application downtime.
- The composite organization reports a net operating profit margin of 12%.
Risks. The increase in incremental net operating revenue due to improved uptime can vary with:
- The organization’s size and industry as they relate to annual revenue and net operating profit margin.
- The organization’s loss of revenue due to outages in its legacy state.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $510,300.
For with annual gross revenue of $0, this benefit may have a three-year, risk-adjusted total PV of .
$190 million
Annual revenue
“Even though we haven’t faced a major attack on our web applications resulting in lost sales, we know that with Threat Protection, we are prepared to respond quickly in the event of a serious threat.”
Head of security operations, insurance
The following table shows custom results for .
Increase In Incremental Net Operating Revenue Due To Improved Uptime
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| A1 | Gross revenue | CompositeComposite | $190,000,000 $190,000,000 | $190,000,000 $190,000,000 | $190,000,000 $190,000,000 | |
| A2 | Percent of revenue retained due to improved uptime | CompositeComposite | 1.00%1.00% | 1.00%1.00% | 1.00%1.00% | |
| A3 | Operating profit margin | CompositeComposite | 12%12% | 12%12% | 12%12% | |
| At | Increase in incremental net operating revenue due to improved uptime | A1*A2*A3 | $228,000 $228,000 | $228,000 $228,000 | $228,000 $228,000 | |
| Risk adjustment | ↓10% | |||||
| Atr | Increase in incremental net operating revenue due to improved uptime (risk-adjusted) | $205,200 $205,200 | $205,200 $205,200 | $205,200 $205,200 | ||
| Three-year total: $615,600 $615,600 | Three-year present value: $510,302 $510,302 | |||||
Efficiencies Gained And Productivity Recaptured Due To Improved Incident Response Times
Evidence and data. Interviewees said with RiskRecon Threat Protection’s layers 3, 4, and 7 and proxy-based protection, their organizations faced fewer bot, malware, ransomware, and DDoS threats. According to the interviewees, preventing DDoS attacks was a priority because they can be especially costly. They explained that previous DDoS attacks were executed in a variety of ways (e.g., volumetric attacks that overwhelmed the network with an excessive amount of traffic, protocol attacks that exploited vulnerabilities in network protocols, application-layer attacks that targeted specific applications or services). Interviewees said these types of attacks shut down their organizations’ networks for significant amounts of time, which required security engineering to spend time remediating. This resulted in lost productivity for the remaining employees during the network outages.
- The founder and engineer of a cloud service provider reported: “With online protection, most low-level threats or attacks are mitigated in seconds. Before [using] RiskRecon Threat Protection, it was, like, 5 to 10 minutes. Across customers and employees, that downtime adds up.”
- The technical business developer at the transportation organization noted: “Since deploying RiskRecon Threat Protection, we’ve seen bad actors change their attack patterns where they are going up to a layer 7 and everything has been blocked. So, it’s a security level that we didn’t have before, and [we] found out the hard way that we really needed it.”
Modeling and assumptions. For the financial model, Forrester assumes the following about the composite organization:
- The composite organization experiences three severe surface or DDoS attacks per year.
- The composite organization has a security engineering team of five FTEs, and each saves 8 hours in responding and remediating an attack after the deployment of RiskRecon Threat Protection.
- The average fully burdened hourly cost for a security engineer in Europe is $62.
- Ninety percent of the remaining employee base is impacted by each outage, and each employee reclaims 8 hours of productive time per severe surface or DDoS attack.
- The average fully burdened hourly cost for an employee in Europe is $36.
- Forrester applied a productivity capture rate of 50% because not all reclaimed time equals productive time.
Risks. Efficiencies gained and productivity recaptured due to improved incident response times can vary with:
- The number of successful attacks in the organization’s legacy environment and in its post-deployment state.
- The number of security engineers employed by the organization.
- The amount of time required to respond to and remediate severe attacks in the organization’s legacy state.
- The percent of the remaining employee base impacted by a network outage.
- Hourly rates, which depend on employees’ skill sets and geographical locations.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $833,500.
For with 0 and each of the 0 security engineering team members spending 0 hours to respond and remediate a serious attack, this benefit may have a three-year, risk-adjusted total PV of .
8 hours
Time savings per security engineering team member to respond to and remediate a serious attack
“DDoS attackers typically run small tests to see if they can take something down, and if they can, then they run bigger and more serious attacks. And these larger threats to the network or application layer can cause hourlong outages.”
Founder and engineer, cloud services
The following table shows custom results for .
Efficiencies Gained And Productivity Recaptured Due To Improved Incident Response Times
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|
| B1 | Serious surface and DDoS attacks prevented | CompositeComposite | 33 | 33 | 33 |
| B2 | Time saved per team member to respond and remediate a serious attack with RiskRecon Threat Protection (hours) | InterviewsInterviews | 88 | 88 | 88 |
| B3 | Security engineer team members | CompositeComposite | 55 | 55 | 55 |
| B4 | Average fully burdened hourly cost for a security engineer | TEI standard | $62 $62 | $62 $62 | $62 $62 |
| B5 | Subtotal: Security engineering team efficiencies gained due to improved incident response times | B1*B2*B3*B4 | $7,440 $7,440 | $7,440 $7,440 | $7,440 $7,440 |
| B6 | Employees potentially impacted by a surface or DDoS attack | CompositeComposite | 995995 | 995995 | 995995 |
| B7 | Percentage of employees actually impacted by an outage | CompositeComposite | 90%90% | 90%90% | 90%90% |
| B8 | Serious surface and DDoS attacks prevented | B1 | 33 | 33 | 33 |
| B9 | Productive time reclaimed per event due to the adoption of RiskRecon Threat Protection (hours) | InterviewsInterviews | 88 | 88 | 88 |
| B10 | Average fully burdened hourly cost for an employee | TEI standard | $36 $36 | $36 $36 | $36 $36 |
| B11 | Productivity capture | TEI standard | 50%50% | 50%50% | 50%50% |
| B12 | Subtotal: Internal employee productivity recaptured due to the adoption of RiskRecon Threat Protection | B6*B7*B8*B9* | $386,856 $386,856 | $386,856 $386,856 | $386,856 $386,856 |
| Bt | Efficiencies gained and productivity recaptured due to improved incident response times | B5+B12 | $394,296 $394,296 | $394,296 $394,296 | $394,296 $394,296 |
| Risk adjustment | ↓15% | ||||
| Btr | Efficiencies gained and productivity recaptured due to improved incident response times (risk-adjusted) | $335,152 $335,152 | $335,152 $335,152 | $335,152 $335,152 | |
| Three-year total: $1,005,455 $1,005,455 | Three-year present value: $833,472 $833,472 | ||||
Efficiencies Realized Meeting Industry Regulatory And Compliance Requirements
Evidence and data. The interviewees commented that RiskRecon Threat Protection helped their organizations with compliance and regulatory requirements by offering robust security features, including continuous monitoring, strong DDoS protection, and real-time insights into their network and application vulnerabilities that enabled making swift changes to settings and configurations depending on the threat level. Interviewees reported that with these advanced security features, their organizations were able to reduce time they previously dedicated to regulatory and compliance tasks.
The chief technology officer at a gaming organization shared: “The specific level of protection needed would depend on your risk assessment and requirements. But with the gaming regulations, the US Supreme Court overturned a law in 2018 that restricted sports betting in the US. Since then, around 20 states have implemented legislation and rules for running sports books, all of which would require some form of DDoS threat protection.”
Modeling and assumptions. For the financial model, Forrester assumes the following about the composite organization:
- In its legacy environment, the composite spent 40 hours per month per security engineer on regulatory and compliance tasks.
- After the adoption of RiskRecon Threat Protection, the composite organization reduces the time needed for regulatory and compliance tasks by 50%.
- The average fully burdened hourly rate for a security engineer in Europe is $62.
Risks. Efficiencies realized meeting industry regulatory and compliance requirements can vary with:
- The number of members on the organization’s security engineering team.
- The organization’s industry and geographical location as they relate to regulatory and compliance requirements and the time needed to complete associated tasks.
- Hourly rates, which depend on employees’ skill sets and geographical locations.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $166,500.
For with a security engineering team of 0 FTEs, each spending 0 hours per month on regulation and compliance activities, this benefit may have a three-year, risk-adjusted total PV of .
The following table shows custom results for .
Efficiencies Realized Meeting Industry Regulatory And Compliance Requirements
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|
| C1 | Security engineer team members | CompositeComposite | 55 | 55 | 55 |
| C2 | Time spent per month on regulatory and compliance tasks prior to adopting RiskRecon Threat Protection (hours) | InterviewsInterviews | 4040 | 4040 | 4040 |
| C3 | Percent of time saved on regulatory and compliance tasks after deployment | InterviewsInterviews | 50%50% | 50%50% | 50%50% |
| C4 | Average fully burdened hourly cost for a security engineer | TEI standardTEI standard | $62 $62 | $62 $62 | $62 $62 |
| Ct | Efficiencies realized meeting industry regulatory and compliance requirements | C1*(C2*12)* C3* C4 |
$74,400 $74,400 | $74,400 $74,400 | $74,400 $74,400 |
| Risk adjustment | ↓10% | ||||
| Ctr | Efficiencies realized meeting industry regulatory and compliance requirements (risk-adjusted) | $66,960 $66,960 | $66,960 $66,960 | $66,960 $66,960 | |
| Three-year total: $200,880 $200,880 | Three-year present value: $166,520 $166,520 | ||||
50%
Time savings for regulatory and compliance tasks
“As a cloud service provider, we need our customers to trust us. So, for that, in addition to GDPR (General Data Protection Regulation), we comply with ISO 27001, which establishes security requirements and controls [and encourages] organizations to improve and maintain their security postures with solutions like RiskRecon Threat Protection. That helps us to filter out known bad sources on the internet, mitigate any volumetric DDoS attacks, and save time performing compliance requirements.”
Founder and engineer, cloud services
Unquantified Benefits
Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:
- Improved employee experience due to productivity gains. Due to the reduction in network downtime and increase in productive time, employees across the organization can focus on completing their daily tasks without interruption, which may lead to less frustrated and more satisfied employees. Additionally, with proactive and continuous threat monitoring, visibility, and collaborative support, the security engineering team enjoys a more secure work environment and increased peace of mind. According to the founder and engineer at a cloud service provider: “We are always in communication with the Mastercard team. And without having to worry about all types of attacks, we can now sleep at night.”
- Enhanced customer experience due to fewer disruptions. By providing protection for DDoS, bots, and web applications, RiskRecon Threat Protection helps significantly reduce network and application downtime, thereby ensuring a seamless customer experience. The chief technology officer at a gaming organization commented: “In my industry, customers require us to have DDoS protection. It’s non-negotiable. It’s a cost of doing business, and it needs to be provided by a reputable vendor for a reasonable cost. Mastercard ticks that box.”
- More empowered security management due to self-service features previously unavailable to the organization. RiskRecon Threat Protection offers a self-service portal that an organization’s security engineering team can access, configure, and customize threat protection settings. Through the portal, the team can also set up threat alerts and generate reports to evaluate the organization’s security posture. The founder and engineer at a cloud services provider said, “The self-service portal is great because we can take immediate action, do the necessary analysis, and make changes as needed all on our own and not be totally dependent on the Mastercard support team.”
“The number of customer service calls we get when we’re down [is] a lot, meaning our customers aren’t happy when an attack takes down a web application directed to a sales channel.”
Technical business developer, transportation
Flexibility
The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement RiskRecon Threat Protection and later realize additional uses and business opportunities, including:
- Scalability. RiskRecon Threat Protection is a scalable solution that can analyze large volumes of data and traffic in real time. With cloud-based infrastructure, it offers swift threat detection and can easily integrate with other existing security solutions. This allows organizations to right-size it as they grow their IT footprints.
- Ease of onboarding. According to the interviewees, RiskRecon's Threat Protection solution is not only user-friendly but also highly versatile and can integrate easily with any future security tools their organizations may acquire.
Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Appendix A).
“RiskRecon Threat Protection offers scalability in cost as well as technology. In the US, we need infrastructure in every state due to the Interstate Wire Act, meaning one can’t place bets across state lines. The RiskRecon model can provide threat protection per state as we add them, and not at a huge cost.”
Chief technology officer, gaming
Quantified cost data as applied to the composite
Total Costs
| Ref. | Cost | Initial | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|---|
| Dtr | RiskRecon Threat Protection subscription costs | $0 $0 | $190,785 $190,785 | $190,785 $190,785 | $190,785 $190,785 | $572,355 $572,355 | $474,454 $474,454 |
| Etr | Initial and ongoing costs | $5,456 $5,456 | $2,455 $2,455 | $2,455 $2,455 | $2,455 $2,455 | $12,822 $12,822 | $11,562 $11,562 |
| Total costs (risk-adjusted) | $5,456 $5,456 | $193,240 $193,240 | $193,240 $193,240 | $193,240 $193,240 | $585,177 $585,177 | $486,016 $486,016 | |
RiskRecon Threat Protection Subscription Costs
Evidence and data. Interviewees said Mastercard charges their organizations an annual subscription fee for the use of its RiskRecon Threat Protection platform.
Modeling and assumptions. For the financial analysis, Forrester assumes the following about the composite organization:
- The composite organization agrees to a three-year contract with Mastercard.
- The composite’s annual subscription costs are $165,900 based on its characteristics and security needs.
Risks. Total annual subscription fees can vary with:
- The organization’s number of traffic configurations.
- The organization’s training and support needs.
- The number of platform features the organization deploys.
Results. To account for these risks, Forrester adjusted this cost upward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $474,500.
For , these costs may have a three-year, risk-adjusted total PV of . Please note that this is based on a high-level estimation and does not represent a quote. For more details, please contact Mastercard.
“RiskRecon Threat Protection is easy to integrate, and its pricing model aligns well with our business model.”
Chief technology officer, gaming
The following table shows custom results for .
RiskRecon Threat Protection Subscription Costs
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|---|
| D1 | RiskRecon Threat Protection annual subscription costs | CompositeComposite | $0 $0 | $165,900 $165,900 | $165,900 $165,900 | $165,900 $165,900 | |
| Dt | RiskRecon Threat Protection subscription costs | D1 | $0 $0 | $165,900 $165,900 | $165,900 $165,900 | $165,900 $165,900 | |
| Risk adjustment | ↑15% | ||||||
| Dtr | RiskRecon Threat Protection subscription costs (risk-adjusted) | $0 $0 | $190,785 $190,785 | $190,785 $190,785 | $190,785 $190,785 | ||
| Three-year total: $572,355 $572,355 | Three-year present value: $474,454 $474,454 | ||||||
Initial And Ongoing Costs
Evidence and data. According to the interviewees, their organizations’ initial and ongoing costs included the costs of the implementation resources required, initial training, and ongoing management.
Modeling and assumptions. For the financial analysis, Forrester assumes the following about the composite organization:
- The composite’s implementation and initial training require a total of 80 hours.
- Ongoing management requires 3 hours per month.
- The average fully burdened hourly cost for a security engineer in Europe is $62.
Risks. Initial and ongoing costs can vary with:
- The organization’s familiarity with cybersecurity solutions in general.
- The organization’s legacy environment.
- The hourly rates of security engineers, which depends on skill levels and geographical location.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $11,600.
For , these costs may have a three-year, risk-adjusted total PV of .
80 hours
Total time required to implement RiskRecon Threat Protection
The following table shows custom results for .
Initial And Ongoing Costs
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|---|
| E1 | Total time required to implement RiskRecon Threat Protection (including initial training) (hours) | Interviews | 8080 | 0 | 0 | 0 | |
| E2 | Average fully burdened hourly cost for a security engineer | TEI standardTEI standard | $62 $62 | $0 | $0 | $0 | |
| E3 | Subtotal: Initial implementation and training costs | E1*E2 | $4,960 $4,960 | $0 | $0 | $0 | |
| E4 | Time per month required for ongoing management (hours) | Interviews | 0 | 33 | 33 | 33 | |
| E5 | Average fully burdened hourly cost for a security engineer | TEI standardTEI standard | $0 | $62 $62 | $62 $62 | $62 $62 | |
| E6 | Subtotal: Ongoing management costs | (E4*12)*E5 | $0 | $2,232 $2,232 | $2,232 $2,232 | $2,232 $2,232 | |
| Et | Initial and ongoing costs | E3+E6 | $4,960 $4,960 | $2,232 $2,232 | $2,232 $2,232 | $2,232 $2,232 | |
| Risk adjustment | ↑10% | ||||||
| Etr | Initial and ongoing costs (risk-adjusted) | $5,456 $5,456 | $2,455 $2,455 | $2,455 $2,455 | $2,455 $2,455 | ||
| Three-year total: $12,822 $12,822 | Three-year present value: $11,562 $11,562 | ||||||
Consolidated Three-Year Risk-Adjusted Metrics
Cash Flow Chart (Risk-Adjusted)
Total costs Total benefits Cumulative net benefits-
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
Cash Flow Analysis (Risk-Adjusted Estimates)
| Initial | Year 1 | Year 2 | Year 3 | Total | Present Value | |
|---|---|---|---|---|---|---|
| Total costs | ($5,456)($5,456) | ($193,240)($193,240) | ($193,240)($193,240) | ($193,240)($193,240) | ($585,177)($585,177) | ($486,016)($486,016) |
| Total benefits | $0 $0 | $607,312 $607,312 | $607,312 $607,312 | $607,312 $607,312 | $1,821,935 $1,821,935 | $1,510,294 $1,510,294 |
| Net benefits | ($5,456)($5,456) | $414,071 $414,071 | $414,071 $414,071 | $414,071 $414,071 | $1,236,758 $1,236,758 | $1,024,278 $1,024,278 |
| ROI | 211%211% | |||||
| Payback | <6<6 | |||||
Appendix A: Total Economic Impact
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.
Total Economic Impact Approach
-
Benefits represent the value delivered to the business by the product. The TEI methodology places equal weight on the measure of benefits and the measure of costs, allowing for a full examination of the effect of the technology on the entire organization.
-
Costs consider all expenses necessary to deliver the proposed value, or benefits, of the product. The cost category within TEI captures incremental costs over the existing environment for ongoing costs associated with the solution.
-
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. Having the ability to capture that benefit has a PV that can be estimated.
-
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
-
PRESENT VALUE (PV)
The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PV of costs and benefits feed into the total NPV of cash flows.
-
NET PRESENT VALUE (NPV)
The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
-
RETURN ON INVESTMENT (ROI)
A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
-
DISCOUNT RATE
The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
-
PAYBACK PERIOD
The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
Appendix B: Supplemental Material
Related Forrester Research
The Forrester Wave™: Cyber Risk Quantification, Q3 2023, Forrester Research, Inc., July 19, 2023.
Cody Scott, Announcing The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q4 2023, Forrester Blogs.
Appendix C: Endnotes
1 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.
ABOUT FORRESTER CONSULTING
Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.
© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.
PDF
