Guidelines on how to determine Return on Investment in PKI
An original whitepaper from the OASIS PKI Technical Committee, in 2005.
IT managers are under increasing pressure to deliver clear Return On Investment (ROI)
figures. ROI is notoriously difficult to compute for IT infrastructure in general, and leading
edge technologies like PKI in particular, where costs are easier to quantify than benefits.
Yet in order to mount a robust business case for PKI, we must speak the language of all
executive stakeholders, including financial managers. And this means we need ways to
work out and talk about the ROI.
Here we provide a simple, practical framework for separately calculating the benefits and
the costs of deploying PKI technologies and/or services in the enterprise. Costs are best
understood in terms of a digital certificate supply chain, with a number of independent
elements each able to be implemented in various ways, with differing associated
expenses. The framework accommodates a wide range of contemporary PKI variations,
including outsourced versus insourced CAs, thin client or fat client end user application
environments, and the full range of private key media. The paper also provides a brief
survey of some of the recent research done on e-business and infrastructure ROI.