WARP Toolbox - Business case

Setting up a WARP

WARP Services

Operations

Downloads

Toolbox news

Home | Business case

Business case

The business case is one of the most important stages of building a WARP because this is where the WARP Provider, can start to address the question of “why should I create a WARP?” Accurate and clear answers to this question will provide the motivation, commitment and ownership essential for the success of any project.

Six stages in the process of creating a business case are described within this section of the Toolbox, along with Example documents and case study Reference tools to help you along the way. Click on the images of any of the stages to find out more:

Business case 6 stage model

The following is a case study example of a WARP business case

Case study - Business case to create MYWARP (MYSWARP) (July 2005)

WARP Case Study - Experience in setting up a WARP (June 2006)

As more WARPs are set-up, further case studies and documentation will be added to this Business case section.

1. Identify community

The first and most important activity is choosing the community for the WARP, and this stage should include undertaking some market research. This choice of community and the type of market research will depend to a large degree on who you are, and the organisation you represent. The diversity of types of WARP provider is a strength of the WARP concept and to help you identify your own community, a number of real life case studies have been documented in this Toolbox.

1a. Local Authority communities

There are a number of organisations that already have a trusted relationship with a community of Local Authorities, based on geographic location. Two examples are London Connects, which works with the 33 London Boroughs and Kent Connects which works with Kent councils.

Given that there were existing relationships in those cases, identifying the community was much simplified, however market research is still a vital element to judge how receptive the membership will be to WARP services.

In one case this market research was achieved by the prospective WARP provider approaching someone in a Local Authority whom they already knew to have a good understanding of the information security issues which the WARP could address. This person already had existing contacts and agreed to call a half day workshop with these contacts. The results of this workshop are provided as a case study reference document:

Case study - Meeting between local authorities discsussing the creation of a WARP (V1.0 May 2004)

Case study - Short presentation to help Q&A session at WARP start-up workshop (January 2001)

In another case, the market research was conducted at a higher level where the prospective WARP provider gave a presentation at an existing meeting of Local Authority Directors. This high level top down approach, and the lower level bottom up approach are both effective ways to judge the community's interest in joining a WARP.

1b. Trade Association and Chamber of Commerce communities

There are many membership organisations such as Trade Associations and Chambers of Commerce who already provide a range of services to their members. These often have large memberships (>1000 members), which is too large for a typical WARP, especially early on. Some means must therefore be found to choose a sub-community within this membership that would be most receptive to becoming members of a WARP.

In one case, a number of members in the organisation had recently raised Information Security as an area of interest and had created a sub-committee to provide direction and advice to members. The chairman of this committee would be a good stakeholder to approach to include WARPs on their next meetings agenda. In this case, CPNI was able to send a representative to provide a presentation at the meeting e.g. the case study below:

Case study - CPNI presentation to a Security Committee to gauge interest in WARPs (January 2001)

1c. Partnership - commerce and academic communities

This WARP model and the Toolbox are not intended to be used for profit making business ventures, as stated in the WARP Code of Practice and the Toolbox terms & conditions. However, a commercial company working with an independent organisation such as a University, setting up a not-for-profit WARP would be welcomed. The benefits to the commercial company in this case would be increased marketing exposure to the community, contribution to the general good and other partnership opportunities. One example of this type of partnership is where a Regional Development Agency is funding the creation of a Technology Centre in a redevelopment area, in partnership with local businesses and Universities. In this case WARPs were seen to be a valuable differentiator for the Technology Centre.

1d. Large public sector department communities

Providing a WARP within a large public sector department, and choosing the community, provides different issues and opportunities from those in the previous cases. The first difference is that due to the large scale of these departments, it is likely that co-ordinated multiple WARPs will be required rather than one large WARP. The other difference is that these sub-communities are more likely to be subject to direct management control, whereas most WARPs are completely free-standing and independent.

In one case a large Government agency has set-up a WARP to help with its Information Governance responsibilities and are looking to roll-out further WARPs within the agency among different communities but all communicating and sharing.

Other large government department is working closely with its Managed Service Provider to set up a WARP to provide a more rigerous and defined security role in its customer/supplier relationship.

1e. Large Corporate communities

Commercial organisations are allowed to establish WARPs, provided that they do so on a Not-for-Profit basis, though they can establish this on a cost-recovery basis. They would need to be able to satisfy other WARPs that they were not exploiting the model, network and tools directly for profit.

Two examples of this are:

A large telco using the model in conjunction with an internal CERT to improve incident reporting and provide effective warnings and advice internally. This initial phase will then be developed to provide services to customer groups and partners who are at particular risk of electronic attack.
Another Managed Service Provider is using the WARP model to better disseminate advisories to its product customers, and assist them in sharing advice & best practice and gathering feedback on its services as well as on incidents affecting them.

2. Identify benefits

The benefits to the WARP Provider of setting up a WARP will depend on the type of organisation represented and the community chosen for the WARP. In cases where an organisation already provides services to the prospective WARP community, then creating a WARP will add another service to their portfolio. The benefit to the WARP provider is likely to be directly proportional to the benefit of a WARP to its members, which are listed below.

It may help at this stage to validate the relevance of the WARP services outlined in this Toolbox by visiting the Service requirements section.

Member services and benefits

The argument and business case for creating a WARP is enhanced significantly by real examples of benefits derived from existing WARPs and their members. The following document describes the benefits derived by WARP members (anonymised) from the three WARP services, filtered warnings, advice brokering and trusted sharing. The case studies describe benefits in terms of cost savings, increased security and increased capability. This document will be updated regularly as new benefits are documented from WARPs and their members.

WARP member benefits statements (V1.0 July 2005)

The high level services and benefits below relate to members who deploy ICT systems in their business activities, including eGov or eBusiness services.

Trusted environment - Trust and confidence are crucial characteristics of any on-line service, and a successful attack which compromises the Confidentiality, Integrity or Availability of the information related to these services will undermine this confidence. Security incidents are newsworthy and the media often fuels this erosion of trust with the end result being political embarrassment and people not wanting to use the on-line services, especially if their personal information is at risk.

The WARP will provide a trusted community of interest where members can report incidents and seek advice without the fear that the information will be used to harm them.

Information Filtering - The threat from a malicious attack is growing, as evidenced by many surveys including the 2004 Security Breaches DTI survey. The number of Advisories and Warnings is also growing with CPNI providing UNIRAS reports sometimes on an hourly basis. Analysing these reports and making decisions on what action to take is often difficult and time consuming.

The WARP will understand the community of interest and filter information from sources such as UNIRAS on relevance and urgency before passing on the information to participants, thereby facilitating the decision making process and at lower cost than working on their own.

Access to Expert advice - Many of the Advisories and Warnings require specialist knowledge to fully understand the significance and required action to reduce the risk of a successful attack.

The WARP will facilitate information sharing between experts both within the WARP and in liaison with other experts from trusted organisations such as CPNI, thereby producing higher quality solutions.

Early warning - Although early warning is often a difficult aspiration to realise, there is benefit to an organisation in knowing when and how other organisations are being attacked, especially if they are within their community of interest. This will help an organisation put in place emergency preventative measures which in normal circumstances would not be operationally acceptable.

The WARP will provide a validated and trusted reporting environment which will enable participants to benefit from the experience of others when attacks are taking place.

Strategic Decision Support - How much should I spend on Security? is often a difficult question to answer along with when and what should I spend it on? Benchmarking against other organisations within your community of interest is one approach and another is to use validated trend data from reported incidents.

The WARP will over time analyse incidents and the most effective countermeasures, and together with threat forecasts, produce strategic reports which can be used to support the business decision process for security investment, thereby optimising the value of the investment.

Education and Awareness - Information Security is a topic which is continually evolving as new technologies are introduced, new threats identified and new solutions developed.

The WARP will provide a channel to disseminate advice on new security topics, based on the relevance to the community, from sources such as CPNI.

3. Identify resources & costs

Costs will vary from one organisation to another depending on whether the WARP is starting from scratch or can take advantage of existing infrastructure and resources.

In some instances a WARP can be setup and run at no cost by using volunteers and manual processes. Some recent WARPs have managed to set up with a first year cost of ~£40k which includes building and running the Filtered Warnings Application (FWA) software with appropriate resources to create their own Notifications and manage all three WARP services. This can be the best option if the WARP provider is thinking of creating multiple WARPs as each successive WARP can be provided for a fraction of the first set up cost given the economies of scale. If a WARP provider is only considering creating a single WARP then they may find it more economical to outsource the WARP infrastructure and FWA operation from another WARP or a third party supplier. Several WARPs have expressed an interest in providing this service and you can find a list of all WARPs, with their contact details, in the WARP register. Note not all WARPs run the FWA software.

The following spreadsheet has been extracted from a real WARP business case for a partnership between a commercial company and a local University and shows the breakdown of costs which can be used to base your own costing analysis. In this case study, the first year costs were £54k and the following years' running costs were £47k. It should be noted however most of the budget cost is manpower and this cost depends heavily on your chosen method of resourcing this, and the level of service you plan to offer..

Case study2 - WARP costing spreadsheet (November 2003)

To help in this cost analysis the related 'Case study WARP registration application (V3.0)' is included below

Case study2 - WARP registration application (V3.0 February 2006)

4. Identify funding

There are different opportunities for funding a WARP, including:

Internal - where the WARP Providers host organisation decides that it will fund the WARP. This does not have to be new money as it may be possible to utilise existing budgets and existing resources. This funding could for example, be used to help start-up the WARP and then move to another funding model after the first or second year;
Member subscription - the costs of setting up and running a WARP are shared among the WARP membership;
Member co-operative - the costs are offset by the members working as part of a virtual team;
Partnership - the costs are shared with a partner, which could also have a relationship with the chosen WARP community. This partnership could be commercial, or with an organisation that has some form of corporate responsibility for the community and wishes to take advantage of the trusted community the WARP can create;
Sponsorship - the costs are offset by external organisations providing sponsorship. This is most likely to help start-up the WARP, which may then move to one of the other funding options after the first year. This sponsorship could be by public sector bodies such as Regional Development Agencies or potentially EU sources, or possibly central government. It could also be via commercial sponsorship, which is discussed in more detail in the next section.

Commercial sponsorship opportunities

The experience of existing WARPs indicates that there are many commercial companies who are prepared to sponsor WARPs. This sponsorship can manifest itself by discounts on products and services, sponsorship of events and supplying resources at cost or even at no charge.

To help encourage this type of sponsorship, the Toolbox provides a list of companies who have already shown a committment to sponsoring WARPs. CPNI does not endorse or recommend any of these sponsors directly, as it is important to limit liability and maintain its independence. To this end, any sponsor who supports a WARP can have their details included in the WARP Toolbox. The current Sponsors are listed in the Useful links section of the Toolbox.

5. Produce business case

The format of your business case is likely to depend on the policies and procedures of your host organisation and the value of the investment on which you are seeking a decision. The experience of current WARPs indicate that the investment is modest and therefore a short concise business case is often sufficient, and indeed preferred, as it simplifies the communication and decision making process.

In one case a WARP Provider for a Local Authority WARP helped argue the business case by showing the obvious cost WARP Costing graph advantages to members in the attached chart.

It was estimated that each authority would spend at least £10,000 each year on providing some of the WARP services in house - such as the filtered warning function. The chart shows how the £25,000 cost of this particular WARP can be spread among its membership with obvious cost savings and healthy margins for the WARP Provider.

In this case the WARP costs were the external costs, with the manpower costs already covered by using existing resources. The same graphical approach can be used, however, for any cost value simply by changing the cost axis on the graph.

This same WARP Provider made the case to self fund the WARP in the first year with some sponsorship and move to a subscription model in the second year. It also set itself up as a legal entity in order to share risk and limit liability. Within the business case it argued that it:

Would provide a proactive approach to securing information systems
Would provide an opportunity to deliver income generation services to the community
Would provide an opportunity to become an example of good practice for the rest of the UK
Could provide a mechanism for other alerts such as may be required by the emergency planners

A successful business case will provide you with the resources and funding as well as clear ownership of the project.

6. WARP registration

WARP providers must establish a clear business case for setting up a WARP, as described in the previous section. They also have a responsibility to conduct their business in a responsible manner consistent with a set of values which engenders trust. This trust is important not just within the WARP's own community, but also within the broader WARP community.

To facilitate WARP trust, CPNI has introduced a WARP registration process where authorised WARPs will have a number of benefits. These include the use of the WARP brand, CPNI endorsement by being included on the published list of registered WARPs, and access to the Filtered Warnings Application (FWA) software.

The WARP registration process, reflected in the WARP registration application form, contains 3 steps:

Step 1 - The prospective WARP Provider (applicant) should agree to adhere to the terms and conditions of the WARP Toolbox.

Step 2 - The applicant should agree to abide by the 'WARP Code of Practice', described in the document below.

WARP - Code of Practice (V2.0 August 2004)

Step 3 - If the applicant agrees to adhere to the terms and conditions of the Toolbox, abide by the WARP Code of Practice, and feels they have the right credentials to become a WARP provider, they should complete the following registration application form. The application should be sent to contact us.

WARP registration application form (V5.0 February 2008) - *NEW*

Applicants can view a completed application form , based on a real application but anonymised, in the following example.

Example WARP registration application for (V4.0 September 2006)

CPNI will evaluate the application and inform the applicant of the outcome.

If the applicant is unsure about any aspect of WARP registration, then they should seek clarification at contact us.

NB: If a Provider wishes to change the nature of the WARP community after their registration has been approved, then prior to implementing any changes they must send details to CPNI, using the following form. When approved, this will also enable CPNI to update the WARP Register.

WARP registration amendment form (V1.0 January 2005)

Next step - Project start-up will take you through the next step in the process. It will help with project management, team building and communicating via your own start-up WARP website.

Published : 19-Feb-2008

Terms and conditions