If someone asked you how much the cost of a task is, I bet you would struggle to given them an accurate response, the default position of most people is to underestimate a cost of doing something (but estimation science show’s us that it tends to vary based on role e.g. project managers are risk averse, engineers think they can solve things faster than they can and executives often just want it to be cheaper for the sake of it being cheaper – Parkinsons Squeeze I think that is called)

Years ago I stared looking at total cost of ownership (TCO) and Return on Investment modelling (I mean a lot of years ago….) and I’ve created a range of models for organisations for:

• Sales Estimation
• Business Cases
• Budget Planning
• Project Planning
• System Optimisation Analysis

So this morning I bumped into a post that had a claim that the cost of a password reset is on average $70…. and well that set off my brain with a…. that feels a touch high (it might not be, I can’t recall having modelled this before).

Models where you can’t see the formula

The formula for the Forester value, is simple not public knowledge, at least I can’t find it.

Using ChatGPT I’ve managed to conduct an analysis which seems reasonable in terms or an assumed way they have calculated this.

My Models

The models here are very simple, I know that variance in location, vertical, and simply the specific org when it comes to staff costs vary loads. I also know that all models are flawed, some are useful etc.

So basically there are lots of ways to model this. Neither is right or wrong but I would say if you use a headline figure from a source that isn’t your own modelling you might run into some ‘fun’.

So I would probably do this:

If you do need to know how much a password rest costs for you, model your own organisational activity and do not use anyones arbitrary ‘best guesses’.

Perhaps, consider some key questions such as:

What does it cost in my organisation?

• Is this ok for us?
• Is the process, procedure delivering good value?
• Is the process robust from sneaky attackers abusing it?
• What volume and frequency of password resets do we have?
• Do we want to change/improve this or do we have other things that we need to focus on?

Risks

We know that credential losses can be the start of a devastating chain of events for an organisation, we also know that really depends on the organisations security posture. We also know that helpdesk password reset abuse can be a vector for cybercriminals to socially engineer their way into getting a foothold inside the organisation.

There’s a lot to consider in this space, authentication and authorisation are absolutely key areas when it comes to a security posture, so getting this right is important.

Remember security is typically about layers:

• Conditional/Contextual Access Policies
• MFA/Passcodes etc.
• Password Managers
• Proactive Security Monitoring
• Audits, Health checks, Password Audits
• Breach Monitoring
• Penetration Testing
• Control Testing
• Breach Response Planning
• Incident Response
• Training

There’s a lot of things that make up a posture and a lot of things that make up costs/value etc. the devils are in the details and in the end, it probably only really matters what the costs/value are to your organisation.