Calculating the Cost of Full Disk Encryption

CowboyRobot writes "Is full disk encryption (FDE) worth it? A recent study conducted by the Ponemon Institute shows that the expected benefits of FDE exceed cost by a factor ranging from 4 to 20, based on a reduction in the probability that data will be compromised as the result of the loss or theft of a digital device. 'After doing all of the math, Ponemon found that the cost of FDE on laptop and desktop computers in the U.S. per year was $235, while the cost savings from reduced data breach exposure was $4,650.'"

Re:Real Costs

[pthisis]

At least partially:

"The study found that the most expensive element of FDE is not the hardware or software involved, but the value of user time it takes to start up, shut down and hibernate computing systems while using FDE. "

But this study doesn't pass the smell test. Take this, for instance: "The cost savings from reduced data breach exposure was $4,650." Imagine that FDE takes the risk of data breach on a stolen disk from 100% down to 0%. And imagine that any given computer has a 1% chance each year of being stolen by someone who's going to exploit the data on it (rather than just reformat it and sell or use it). Both of those are very generous estimates.

The average value of a lost computer to my company--either in terms of profits lost or competitor's profits gained--would have to be $465,000 for the math to work. Which as a median doesn't make sense.

If it's a mean, it only makes sense because there are a handful of computers whose value is tens or hundreds of millions of dollars counterbalancing the vast array of other computers worth far less--but if that's the case, the right solution probably isn't to lump all machines together for analysis purposes, it's to segregate out the high-value targets and treat their security differently from the low-value targets.

Re:Real Costs

[neyla]

Agreed on the smell-test. No matter how good a security-measure is, it cannot save more money than is lost without it. (i.e. the best possible security is 100%)

Thus for FDE to save $4650/computer/year, the current cost of data-loss that would be avoided with FDE must be atleast the same amount.

There's about 100 million computers sold annually in USA, essentially none of which have FDE. The average computer is used for atleast 3 years. The total *current* cost of data-losses must thus be atleast: 100M * $4650 *3 = $1395 billion/year.

That doesn't pass the smell-test. It would mean the losses add up to $12500 a year for each household, which is utterly ridicolous.

Re:One click for $235

[Dodgy+G33za]

Surely if it means a lot to you but not to anyone else then encryption is not as important (if at all) as backing up?

I have lost personal data. I also have a few old and fairly important files kicking around that I password protected many moons ago and forgot the password.

I have chosen not to encrypt, but I have a very solid backup routine.

But then I can't imagine having data that is so personal (and yet irreplaceable) that I would rather lose it than have some random look at it.

Re:One click for $235

[dbIII]

The other side of the coin is managing it properly. For example I've had to restore from an unencrypted backup purely because somebody who was managing their own disk encryption had forgotten how to access their files and needed whatever earlier copies were available as a matter of urgency. If it's not done properly with people at multiple sites having details of how to access the files it's not worth doing at all. An encrypted volume should not be a room full of people that have eaten the salmon mousse away from being permanently inaccessible.