Network security

How to Conduct a Cost-Benefit Analysis and Implement a Virtual Private Network

Ravi Das
March 2, 2017 by
Ravi Das

Overview of the Last Article

For any business or corporation, securing the lines of communications between the sending and receiving parties is a top security priority. On a daily basis, billions upon billions E-Mail messages, text messages, instant messages, files, etc. are transmitted all over the world. Of course, not every business entity is going to implement a secure channel protocol.

Thus, they will be at grave risk for a major Cybersecurity breach from occurring. The thinking is often that "it will never happen to me"; but this is far from the truth. A major Cyber-attack can be launched towards any type or kind of business entity, whether it is the smallest, one-person operation, to the largest globally based Fortune 10 company.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

We have reviewed many security mechanisms in previous articles which can be leveraged to help fortify not the lines of communication when confidential and private information is shared, but also in fortifying the lines of defense.

These have ranged all the way from crafting a much more proactive Security Policy to making the use of Biometric Technology to implementing an Asymmetric Cryptographic Infrastructure, with an emphasis upon a Public Key Infrastructure (also known as a PKI).

It should be noted that one of the most important rules in the world of Security is not to just one layer of Security; but rather, to implement multiple layers of them. So for example, rather than just implementing a stronger Security Policy, you should also make use of Biometric Technology (such as for adding an increased layer of Security at the main entry points; and for accessing files across the corporate intranet), and a Public Key Infrastructure for securing sensitive files which are transmitted back and forth.

In addition to these lines of defense, there is yet another one which is available; this is known specifically as a "Virtual Private Network," or "VPN" for short. What is unique about this particular Security based mechanism is that it can secure a line of communication using the public internet infrastructure.

In its simplest terms, a Virtual Private Network can be viewed as a layered approach from within itself. Just like the principles of Cryptography, whenever a Data Packet is sent across a VPN, it is further wrapped into another specialized Data Packet to make it covert while it is being transmitted over the network medium.

However, in addition to this as well, two layers of communication are also established across the Internet between the sending and the receiving parties. The first is the "normal" connection when the sending party initiates the line of communications.

The second is the VPN connection which is also established specifically for the encapsulated Data Packet to travel upon. This entire process is known specifically as "IP Tunneling."

It should be noted that the second line of communications is never seen to the outside world, or in between the sending and the receiving parties. Thus, it provides one of the most secure means of communications which is available today.

Also, the idea of the first line of communications is to create sort of a "honey pot" for the Cyber attacker, while the Data Packets make their way safely across the VPN based line of communications.

In this article, we continue with the theme of Virtual Private Networks, focusing on these topics:

  • Conducting a Virtual Private Network Cost-Benefit Analysis
  • How to Implement a Virtual Private Network.

Conducting a Virtual Private Network Cost-Benefit Analysis

What do the CIOs and the CFOs have in their arsenal to help them to decide if a Virtual Private Network is affordable, but will also provide the best means of security for the place of business or corporation?

One such technique is a financial analysis methodology known as a "Cost-Benefit Analysis," or "CBA" for short. Even before a CIO or CFO can even consider preparing the Request for Proposal (RFP) for implementing a Virtual Private Network, the following variables need to be addressed:

  1. Determining the actual operating costs of running a particular Information Technology environment.
  2. Calculating the real and tangible benefits that a Virtual Private Network solution will bring to the business or corporation, as opposed to the other Security based mechanisms which are being used.
  3. Calculating the capital requirements as well as the operational costs of the brand new Virtual Private Network.
  4. Determining how to spread the financial costs of the estimated life of the new Virtual Private Network solution, and also assigning the capital expenditures to the specific years.
  5. Ascertaining and determining the cost differences between the operating costs of the existing security system in place versus the brand new Virtual Private Network.
  6. Based on the financial numbers calculated from the first five steps, the Return On Investment (ROI), as well as the Internal Rate of Return (IRR) and the Net Present Value (NPV), can now be ascertained for the brand new Virtual Private Network infrastructure.

With these above factors now calculated and quantified, the CIO and/or the CFO can now conduct the actual Benefit-Cost Analysis, which should include the following components:

  1. All of the real and the hidden costs that are associated with keeping the Virtual Private Network running and the related upkeep costs.
  2. All of the capital expenditures which are related to the lifetime of the Virtual Private Network infrastructure.
  3. The actual costs of hiring the Information Technology staff to administer and maintain the Virtual Private Network.
  4. The calculations of the new revenues that the Virtual Private Network will bring to the place of business or organization.
  5. Any other hidden costs it will take to implement the new Virtual Private Network system.
  6. Any other Information Technology budget cost savings that can be garnered by the newly implemented Virtual Private Network.

With all of these important considerations the CIO or the CFO has to make, it is equally important to stay away from a phenomenon which is known specifically as "Scope-Creep." In other words, the business or the corporation needs to implement the Virtual Private Network for its original purposes, nothing more and nothing less.

Otherwise, the associated operating costs will get greatly out of hand, and the rules of Information Technology Project Management must be strictly enforced (this was reviewed in detail in our article series on Biometrics).

Once it has been decided that the benefits of deploying a Virtual Private Network actually outweigh the costs, a very orderly approach must be followed when deploying an actual Virtual Private Network. This is discussed in detail in the next section.

How to Implement a Virtual Private Network


Simply throwing the deployment plan and the related technologies at the Information Technology of the place of business or corporation and having them figure out how to fully implement an entire Virtual Private Network Infrastructure does not work at all.

Just like when it comes to implementing a Biometric System, it also takes a very strong planned and iterative approach to implementing a Virtual Private Network Infrastructure.

A controlled process is best used in these circumstances, and it should involve the following steps:

  1. Analyzing
  2. Pilot Testing
  3. The limiting of the full blown Virtual Private Network in stages
  4. Conducting a complete Virtual Private Network once the above-mentioned stages have been completed and everything else is set into place

It should be kept in mind that part of the iterative process when implementing a Virtual Private Network Infrastructure includes conducting a very detailed systems and requirements analysis, which involves a comprehensive examination of the following major, requirements:

  1. The Virtual Private Network Security Requirements
  2. The Virtual Private Network Application Programming Requirements
  3. The Virtual Private Network User Access Requirements
  4. The Virtual Private Network Requirements
  5. The Virtual Private Network Performance Requirements

With respects to the Security requirements for the soon to be implemented Virtual Private Network Infrastructure, a firm grasp of the following is needed:

  1. An understanding of the types of Information System Requirements
  2. A classification scheme of the Information Technology assets to actually determine what needs to be protected by the VPN

Regarding the Information Assets Classification, the key item to be determined is that of the tangible value of the assets related to three very important areas:

  1. The place of the business or corporation
  2. The suppliers to the organization
  3. The customers

To fully understand and quantify the value of the Information Technology assets, there are three types of risks related to them, which need to be ascertained as well. These are as follows:

  1. Integrity Risk:
    The Data Packets that get sent through the Virtual Private Network possess qualities of both a commodity and a weapon, such as:

  • Data Loss
  • Data Alteration
  • Data Theft.
    1. Confidentiality Risk:
      The Data Packets that get transmitted back from the sending and the receiving parties from within a Virtual Private Network Infrastructure most of the times consist of very confidential information/data about the business or the corporation. Although these Data Packets have been further fortified by being encapsulated, they are still prone to being lost, stolen, or even hacked into and used for malicious purposes by a Cyber attacker (for instance, launching instances of Identity Theft).
    2. Availability Risks:
      In the world of the Virtual Private Network Infrastructure, this is very serious and grave risk. This occurs when the VPN becomes totally unavailable at the business or corporation. This is often brought on upon with what is known as a Distributed Denial of Service (DDoS) attack. This is when malformed Data Packets completely floods the Virtual Private Network Infrastructure and totally overloads it.


    In this article, we have examined what it takes to determine if a Virtual Private Network Infrastructure is worth procuring and implementing, based from a financial perspective. This can be accomplished by conducting an appropriate Benefit-Cost Analysis, to determine if the benefits to be gained outweigh the costs and expenses (and even vice-versa) of deploying a Virtual Private Network Infrastructure.

    It is important to note that although a VPN can help mitigate Cyber threats and risks, there are expenses involved which could very well make it cost prohibitive for small to medium sized businesses to implement. Therefore, the Benefit-Cost Analysis will show either the net loss or the net gain, both in the short and long terms.

    Once it has been ascertained that the benefits of procuring a VPN Infrastructure outweighs or exceeds the costs, then the next step is actually to implement it. Although the exact steps in implementing a Virtual Private Network Infrastructure will vary between businesses and corporations (which will be primarily based upon their respective Security requirements), there are a number of common variables which need to be examined as well. These have also been explored in this article.

    Our next article will review the Security Policies which need to be put into place after a VPN has implemented and the network requirements which have to be met to ensure that it is functioning at its optimal levels.


    Learn Network Security Fundamentals

    Learn Network Security Fundamentals

    Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.


    Ravi Das
    Ravi Das

    Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

    You can visit the company’s website at (or; and contact Ravi at