CISA - Vulnerability Management (VM)

Cost Benefit Analysis is not required as part of this effort. However, citing the recent CISA Economic study Cost of a Cyber Incident: Systematic Review and Cross-Validation, the annual impact on U.S. nation financial loss resulting from cyber incidents ranges from a median of $242B annually to as much as $7.7 trillion. Per incident losses have a mean range of $394,000 to almost $19.9M in loss per incident. Utilization of VM Assessments services by any of our stakeholders identifies the critical and high vulnerabilities in their networks and systems. VM stakeholders can then mitigate those vulnerabilities which eliminates opportunities for a potential incident. The mitigation of these vulnerabilities leads to cost avoidance that far surpasses the annual operating budget of the VM investment. In 2021 alone, VM identified over 645,000 vulnerabilities in customer networks and systems.

Also, VM offers these cyber services to our stakeholders free of charge. For example, a typical Vulnerability Scan from a private Vendor would cost a company approximately $2,000-$2,500. VM not only provides that service to the stakeholder free of charge, but VM also provides the service weekly. By end of FY22, VM aims to provide this service to over 4,000 stakeholders resulting in a cost savings of $416M-$520M every year for our stakeholder community.

VM does incur a cost to provide these services, but the costs to VM is far less than the cost to procure a similar service in the private sector. At present, VM pays only $788 per year per stakeholder to provide this Vulnerability Scanning service (~$3.15M total). As the number of stakeholders continues to grow, VM aims to reduce this cost down to $525 per year per customer.

• Total
• Cost Pools