Costs will vary from one organisation to another depending on whether the WARP is starting from scratch or can take advantage of existing infrastructure and resources. In some instances a WARP can be setup and run at no cost by using volunteers and manual processes. At the other end of the scale, where full time resources are used with dedicated IT infrastructure, the business case section of the Toolbox contains an exemplar where the costs of setting up and running a WARP have been calculated to be £90k in the first year (circa 2004). If a virtual team can be used where manpower costs are covered elsewhere, then the costs can be reduced to around £26k in the first year, with ongoing running costs of £15k/ year. Within the Toolbox is an Excel spreadsheet which will enable you to calculate the costs for your own organisation, by varying the component costs depending on your own situation.

Back to top

Possible WARP funding models are available in the Toolbox:

• Internal – a WARP hosting organization decides to fund the WARP. This does not have to be new money as it may be possible to utilize the existing budget and resources
• Member subscription – the costs are shared among the WARP memberships;
• Member co-operative – the costs are offset by the members working as part of a virtual team;
• Partnership – the costs are shared with the partner who has interest in the community;
• Sponsorship – the costs are offset by external organizations providing sponsorship;

Back to top

These will be the same as for most Service Providers in line with UK law, where the Provider has to comply with general operating procedures like, for example, the Data Protection Act. In order not to mislead WARP members, and to limit liability, it is a good practice to document agreements between the WARP and its members. Example customisable agreements are included within the Toolbox.

Back to top

The Toolbox is a web based resource which has been designed to provide step-by-step support to anyone setting up and running a WARP. The contents include:

• help in producing a business case for a WARP;

• assistance with registration;

• guidelines, case studies and reference documents;

• downloads of customisable forms, documents, presentations and spreadsheets;

• downloads of publications which you can re-use;

The Toolbox has been created from the experience of other WARPs

Back to top

The Toolbox has been structured such that you could start at the top of the navigation buttons and work down to the bottom in a logical sequence. For those who want to get a flavour of WARPs, it would be useful to read the WARP services section which describes what WARPs can deliver. Introduction to the Toolbox is a natural place to enter the Toolbox and will give you an overview of the process of setting up and running a WARP before you move onto the detail. Setting up a WARP will lead you through the detail of the following stages and supply support in the form of documentation and software. If WARPs are completly new to you, then first go to Introduction to WARPs.

Back to top

There are two key factors which directly affect the optimum size of a WARP: homogeneity of the community and resources it can afford. If the IT security needs and interests of the members are all very similar, meaning homogeneous, then the number of members may be larger. In contrast, if the needs and interests are very diverse, then the number may need to be small, or the Operator will be overwhelmed trying to deal with the diverse range of subjects and sources. It can be solved by putting into more resources (several technical staff). but it would increase costs. Typically, about 30 to 100 is a good number for a WARP with one technical staff. Taking into account the factors above, you should carefully find the optimum number for your community.

Back to top

Yes, as long as you can demonstrate to CPNI that the WARP will not be used directly to generate profit for your business. For example, if you want to use the WARP model to improve your corporate security effectiveness, then you could use the Toolbox. If you wanted to setup and run a WARP for your local community in conjunction with suitable partners and as long as it was not for profit, then you can use the Toolbox. On the other hand, if you wanted to use the Toolbox to set up and run a WARP as a commercial venture in its own right and for profit, then you would not be allowed to use the Toolbox. If you are in any doubt then send an email outlining your proposition – see Contact us.

Back to top

No. The FWA software is a tool to help develop a full WARP model, where the trust is built and incident sharing flourishes. Though it is useful in its own right, it can only be made available to registered WARPs and cannot be used simply as a standalone delivery system for security advisories.

Back to top

Yes. Currently the FWA software works only on Windows-based server (2003). However, an open source version of FWA might be available in the future. Check the News now and then for the further developments.

Back to top

The FWA software has been regarded as a key feature attracting users to join a WARP, thus, a major ‘foot in the door’. It helps organizations which don’t have the in-house IT security resources, or want to use their resources more efficiently, select advisories which only affect their IT infrastructure and therefore become aware of the threats particular to them. , Through the Advice Brokering Services, the organizations can also discuss the way to act on them together. An established WARP reported that the WARP advisories and news circulated through the FWA also contribute to raising awareness, and the very fact that information is being circulated to the whole community, without favour, encourages trust.

Back to top

Yes. In fact, some of the established WARPs are run by the same operators. It is a good idea because there are economies of scale, however, it is important that the WARP operator deals with each community separately and has a good knowledge of, and associates with each community to maintain a trusted environment. So there must be a balance between efficiency and effectiveness in operating more than one WARP. Sometimes this requires a partnership between one operator who is close to the community, and another who administers the technical aspects (FWA etc). CPNI is developing the FWA software to run multiple WARPs on a single server to save costs while keeping each community discrete and identifiable so that they still feel like a small community.

Back to top

You should find a ‘Champion’ for the community you are planning to serve. The Champion is a person who hears about the WARP idea, looks into it further and becomes enthusiastic about establishing a WARP. The Champion may be part of a community or may be responsible for a community, and often becomes the WARP Provider (as well as the WARP Operator). The Champion will help you understand a community and sell the idea to the community. The Champion concept has been identified through observation and proven indeed a key factor in successfully establishing a WARP. For a real case study, see the WARP News articles section.

Back to top

The Toolbox itself will reduce the cost significantly in building and running a WARP. WARPs will also be entitled to receive UNIRAS email warnings and advisories which the WARP can re-use and help reduce some of the costs. There are also opportunities for direct sponsorship and subsidies from a number of sources. In the private sector, IT and security vendors have shown a willingness to provide funding for specific elements of a WARP, from sponsoring a WARP launch event to providing discounted Website hosting – the Toolbox contains details of some likely sponsors. The parent body of the organisation may also see opportunities to combine the WARP with other initiatives thereby providing opportunities to share existing budgets.

Back to top

In the Toolbox you will find marketing brochures, presentations and business case literature to make a convincing case for membership of a WARP.

Back to top

Yes. No doubt it won’t be all smooth sailing and a culture of rivalry, sectionalism and mistrust may be there. But in a case study, the established WARPs reported that largely through face-to-face contact, an awareness of the mutually beneficial aspects of threat sharing had become appreciated, and the genuine progress towards a trusted community had begun to emerge. It will take some time but it would be worth trying.

Back to top

WARPs are for a community of small organizations which typically lack ICT resources and have a little knowledge of the IT infrastructure on which their business critically depends. If that is the case, it has been identified that the very first task is raising security awareness among the members.

Back to top

This will entirely depend upon which services you decide are required by your WARP community. Many of the information sharing ideas promoted by the WARP idea can be achieved simply with a web site and somebody to administer it, but obtaining real value can require more by way of infrastructure. Take a look at the section on WARP infrastructure for a more detailed answer.

Back to top

Information sharing is a complex business. The technical aspects (such as secure infrastructure) are very important and you should provide adequate security to protect information exchanged, but you cannot forget socio-psychological aspects of it as well. There is a research paper addressing the factors which affect information sharing behaviour in the Toolbox. See Governance section for the reference on building trust.

Back to top

There are the WARPs adopting a ‘team’ approach, which involves several operators each taking a turn, or sharing the burdens of doing the day-to-day operations. Terms of reference for the operator will differ for each WARP. If you are to be hired as an individual operator rather than part of an organization, you should discuss the issue with the WARP Provider.

Back to top