FinancialSecurityPlan.md
April 21, 2026 ยท View on GitHub
๐ฐ Black Trigram โ Financial & Security Plan
๐ Infrastructure Cost Analysis & Security Investment
๐ Secure Development Policy ยท Classification Framework
๐ Document Owner: CEO | ๐ Version: 1.1 | ๐ Last Updated: 2026-04-21 (UTC) ๐ Review Cycle: Annual | โฐ Next Review: 2027-04-21 ๐ท๏ธ Classification: Public (Frontend-Only Educational Gaming Platform)
๐ ISMS Alignment: This document follows Hack23 Secure Development Policy business continuity and lifecycle documentation requirements.
๐ Purpose
This document outlines the financial and security implementation plan for the Black Trigram (ํ๊ด) Korean martial arts educational gaming platform. For architectural context, see the Architecture Documentation and End-of-Life Strategy.
๐ต Current Cost Summary โ AWS CloudFront + S3 Static Deployment
The current architecture is a static React SPA deployed on AWS CloudFront + S3, with disaster recovery on GitHub Pages, resulting in minimal infrastructure costs.
Cash Flow Overview
| Time Frame | Monthly (USD) | Annual (USD) |
|---|---|---|
| Total Infrastructure | $7.00 | $84.00 |
| Security Tooling | $0.00 | $0.00 |
| Development CI/CD | $0.00 | $0.00 |
| Grand Total | $7.00 | $84.00 |
Note: Black Trigram leverages free-tier and low-cost services for open source projects. The primary recurring costs are AWS CloudFront/S3 hosting, Route 53 DNS with health check failover, CloudWatch monitoring, and domain registration.
๐๏ธ AWS Infrastructure Cost Breakdown
| Component | Service | Monthly (USD) | Annual (USD) | Notes |
|---|---|---|---|---|
| Hosting | AWS S3 (Static Site) | $0.50 | $6.00 | Static assets, low-traffic educational site |
| CDN | AWS CloudFront | $2.00 | $24.00 | Global edge distribution, HTTPS termination |
| DNS | AWS Route 53 | $1.50 | $18.00 | Hosted zone + DNS queries + basic health check for DR failover to GitHub Pages |
| Domain | Domain Registration | $1.00 | $12.00 | Annual domain renewal (~$1/mo averaged) |
| SSL/TLS | AWS Certificate Manager | $0.00 | $0.00 | Free TLS certificates for CloudFront |
| DR Hosting | GitHub Pages | $0.00 | $0.00 | Free disaster recovery for public repos |
| Monitoring | AWS CloudWatch (basic) | $2.00 | $24.00 | Basic monitoring and alarms |
| AWS/Infra Total | $7.00 | $84.00 |
๐ก๏ธ Security & DevOps Tooling (All Free Tier / OSS)
| Component | Service | Monthly (USD) | Annual (USD) | Notes |
|---|---|---|---|---|
| CI/CD | GitHub Actions | $0.00 | $0.00 | Free for public repos |
| Code Scanning | GitHub Advanced Security | $0.00 | $0.00 | Free for public repos |
| Dependency Scanning | Dependabot | $0.00 | $0.00 | Free for all repos |
| SAST | SonarCloud | $0.00 | $0.00 | Free for open source |
| SBOM | GitHub SBOM + SLSA | $0.00 | $0.00 | Free for public repos |
| Tooling Total | $0.00 | $0.00 |
๐ Cost Analysis by Architecture Component
%%{
init: {
'theme': 'base',
'themeVariables': {
'primaryColor': '#e8f5e9',
'primaryTextColor': '#2e7d32',
'lineColor': '#4caf50',
'secondaryColor': '#e3f2fd',
'tertiaryColor': '#fff8e1'
}
}
}%%
pie title Monthly Infrastructure Cost Distribution (\$7.00/month)
"AWS CloudFront CDN" : 2.00
"AWS CloudWatch" : 2.00
"AWS Route 53 DNS" : 1.50
"Domain Registration" : 1.00
"AWS S3 Hosting" : 0.50
๐ Security Investment Analysis
Current Security Tooling (Incremental Cost โ All Free/OSS)
Note: This table covers incremental security tooling costs only. Security-related AWS infrastructure services (e.g., CloudFront, CloudWatch) are accounted for separately under the infrastructure cost breakdown above.
| Security Service | Provider | Annual Cost | ISMS Policy Alignment |
|---|---|---|---|
| SAST Scanning | SonarCloud | $0.00 | Secure Development Policy |
| Dependency Scanning | Dependabot + npm audit | $0.00 | Vulnerability Management |
| Secret Scanning | GitHub Secret Scanning | $0.00 | Cryptography Policy |
| Code Scanning | CodeQL | $0.00 | Secure Development Policy |
| Supply Chain | SLSA Level 3 + Scorecard | $0.00 | Open Source Policy |
| License Compliance | FOSSA | $0.00 | Open Source Policy |
| E2E Testing | Cypress (OSS) | $0.00 | Secure Development Policy |
| Unit Testing | Vitest (OSS) | $0.00 | Secure Development Policy |
| CDN Security | AWS CloudFront (built-in) | Included in infrastructure cost | Network Security Policy |
| TLS Certificates | AWS Certificate Manager | Included in infrastructure cost | Cryptography Policy |
| Total Incremental Security Tooling Cost | (excludes AWS security services costed in infrastructure) | $0.00 | See infrastructure cost breakdown |
Security ROI Metrics
Note: ROI figures below cover incremental security tooling and services only (all currently OSS/free). Security-related AWS infrastructure (e.g., CloudFront, CloudWatch, Route 53 health checks) is accounted for separately under infrastructure costs and currently totals โ$54.00/year across ISMS policy areas.
| Metric | Value | Source |
|---|---|---|
| Total Security Tooling Investment | $0/year | Free OSS tooling (excluding AWS infrastructure spend) |
| Vulnerability Detection Rate | >95% | Automated scanning pipeline |
| Mean Time to Detect (MTTD) | <24 hours | Automated CI/CD scanning |
| Code Coverage (Target) | >80% | Vitest + Cypress (target; see UnitTestPlan.md for current coverage) |
| Supply Chain Score | OpenSSF Scorecard | Automated assessment |
| SLSA Level | Level 3 | GitHub Actions attestation |
| CII Best Practices | Passing | Core Infrastructure Initiative |
๐๏ธ AWS Infrastructure Security Architecture
Current Production Architecture
%%{
init: {
'theme': 'base',
'themeVariables': {
'primaryColor': '#e3f2fd',
'primaryTextColor': '#01579b',
'lineColor': '#2196f3',
'secondaryColor': '#e8f5e9',
'tertiaryColor': '#fff8e1'
}
}
}%%
flowchart LR
subgraph USERS["๐ Users"]
BROWSER["๐ฅ๏ธ Browser<br/>Korean Martial Arts<br/>Education"]
end
subgraph AWS["โ๏ธ AWS Infrastructure (\$7.00/month)"]
CF["๐ CloudFront CDN<br/>\$2.00/month<br/>Global Edge Distribution<br/>TLS 1.3 Termination"]
S3["๐ฆ S3 Bucket<br/>\$0.50/month<br/>Static Site Hosting<br/>Versioning Enabled"]
R53["๐ Route 53<br/>\$1.50/month<br/>DNS Management<br/>Health Check Failover"]
CW["๐ CloudWatch<br/>\$2.00/month<br/>Basic Monitoring<br/>Alerts"]
ACM["๐ ACM<br/>\$0.00/month<br/>TLS Certificates<br/>Auto-Renewal"]
end
subgraph DR["๐ Disaster Recovery (\$0/month)"]
GHP["๐ GitHub Pages<br/>Free DR hosting<br/>Automatic failover"]
end
BROWSER --> R53
R53 --> CF
CF --> S3
CF --> ACM
CW --> CF
CW --> S3
R53 -.->|Health Check Failover| GHP
style AWS fill:#e3f2fd
style DR fill:#f3e5f5
style USERS fill:#e8f5e9
AWS Security Controls (Included in Base Cost)
| Security Control | AWS Service | Additional Cost | ISMS Alignment |
|---|---|---|---|
| HTTPS Enforcement | CloudFront + ACM | $0.00 | Cryptography Policy |
| DDoS Protection | AWS Shield Standard | $0.00 | Network Security Policy |
| Geo Restriction | CloudFront | $0.00 | Access Control Policy |
| Access Logging | S3 + CloudFront | $0.00 | Information Security Policy |
| Versioning | S3 Versioning | $0.00 | Backup & Recovery Policy |
| Origin Access | CloudFront OAI/OAC | $0.00 | Access Control Policy |
| Security Headers | CloudFront Functions | $0.00* (assumes free-tier usage) | Secure Development Policy |
CloudFront Functions pricing includes a monthly free tier (e.g., first 2 million invocations); this plan assumes usage remains within that free tier. Higher invocation volumes will incur additional per-invocation charges according to AWS regional pricing and will increase the AWS Infrastructure and TCO figures accordingly.
๐ฐ Total Cost of Ownership (TCO) Summary
3-Year TCO Projection
| Cost Category | Year 1 | Year 2 | Year 3 | 3-Year Total |
|---|---|---|---|---|
| AWS Infrastructure | $84.00 | $84.00 | $84.00 | $252.00 |
| Security Tooling | $0.00 | $0.00 | $0.00 | $0.00 |
| CI/CD Pipeline | $0.00 | $0.00 | $0.00 | $0.00 |
| Compliance Tools | $0.00 | $0.00 | $0.00 | $0.00 |
| Development Tools | $0.00 | $0.00 | $0.00 | $0.00 |
| Total | $84.00 | $84.00 | $84.00 | $252.00 |
Cost Efficiency Analysis
| Metric | Value | Benchmark |
|---|---|---|
| Monthly cost per user | <$0.01 | Educational gaming platform |
| Security cost per vulnerability found | $0.00 | All automated, free tools |
| Infrastructure cost ratio | Low-cost AWS infra; most security/dev tooling free-tier/OSS | Open source project |
| DR cost overhead | $0.00 | GitHub Pages as free DR |
| Compliance cost | $0.00 | OSS tools (SonarCloud, FOSSA, Scorecard) |
๐ Cost Optimization Strategies
Current Optimizations
- ๐ Open Source Advantage: All security scanning tools are free for open source projects
- โ๏ธ AWS Free Tier: CloudWatch includes an ongoing Free Tier with fixed quotas for metrics, logs, and alarms; the current cost breakdown and illustrative $84/year TCO assume a low-volume workload with an estimated โ$2/month CloudWatch portion that will increase if usage exceeds those free-tier quotas
- ๐ฆ Static Architecture: No server-side compute costs (no Lambda, EC2, or containers)
- ๐ Built-in Security: AWS Shield Standard and CloudFront security headers at no additional cost
- ๐ GitHub Actions: Unlimited CI/CD minutes for public repositories
- ๐ DR at Zero Cost: GitHub Pages provides automatic disaster recovery hosting
Future Cost Considerations
If the platform evolves beyond a static frontend (see FUTURE_ARCHITECTURE.md):
| Evolution Scenario | Estimated Monthly Cost | Key Cost Drivers |
|---|---|---|
| Current (Static SPA) | $7.00 | CloudFront + S3 + Route 53 |
| + API Gateway + Lambda | $15-25 | Serverless compute |
| + DynamoDB | $25-40 | Data persistence |
| + WAF + GuardDuty | $50-75 | Enhanced security services |
| Full AWS Stack | $75-100 | All AWS security services |
๐ Budget Alignment with ISMS Policies
Security Investment by ISMS Policy Area
| ๐ก๏ธ ISMS Policy | ๐ฐ Current Annual Cost | ๐ง Services Used | ๐ Business Value |
|---|---|---|---|
| Secure Development Policy | $0.00 | SonarCloud, CodeQL, Vitest, Cypress | Automated code quality and security |
| Vulnerability Management | $0.00 | Dependabot, npm audit, Scorecard | Continuous vulnerability detection |
| Cryptography Policy | $0.00 | AWS ACM, GitHub Secret Scanning | TLS certificates and secret protection |
| Network Security Policy | $24.00 | CloudFront, AWS Shield Standard | CDN and DDoS protection |
| Access Control Policy | $0.00 | CloudFront OAC, S3 bucket policies | Origin access control |
| Backup & Recovery Policy | $6.00 | S3 Versioning, GitHub Pages DR, Route 53 health check failover | Multi-layer backup strategy with automatic DR failover |
| Information Security Policy | $24.00 | CloudWatch, Access Logs | Monitoring and audit logging |
| Total | $54.00 |
๐ Related Documents
| Icon | Document | Relationship |
|---|---|---|
| ๐๏ธ | Architecture | System architecture overview |
| ๐ก๏ธ | Security Architecture | Security model details |
| ๐ฏ | Threat Model | Risk-driven security justification |
| ๐ฎ | Future Architecture | Evolution roadmap |
| ๐ | End-of-Life Strategy | Technology lifecycle management |
| ๐ | BCPPlan | Business continuity planning |
| ๐ | README | Project overview |
| ๐ผ | SWOT | Strategic assessment |
๐ Document Control
Approved by: James Pether Sรถrling, CEO, Hack23 AB
Distribution: Public (GitHub Repository)
Classification: