FinancialSecurityPlan.md

April 21, 2026 ยท View on GitHub

Hack23 Logo

๐Ÿ’ฐ Black Trigram โ€” Financial & Security Plan

๐Ÿ“Š Infrastructure Cost Analysis & Security Investment
๐Ÿ”— Secure Development Policy ยท Classification Framework

Owner Version Status

๐Ÿ“‹ Document Owner: CEO | ๐Ÿ“„ Version: 1.1 | ๐Ÿ“… Last Updated: 2026-04-21 (UTC) ๐Ÿ”„ Review Cycle: Annual | โฐ Next Review: 2027-04-21 ๐Ÿท๏ธ Classification: Public (Frontend-Only Educational Gaming Platform)

๐Ÿ” ISMS Alignment: This document follows Hack23 Secure Development Policy business continuity and lifecycle documentation requirements.


๐Ÿ“‹ Purpose

This document outlines the financial and security implementation plan for the Black Trigram (ํ‘๊ด˜) Korean martial arts educational gaming platform. For architectural context, see the Architecture Documentation and End-of-Life Strategy.


๐Ÿ’ต Current Cost Summary โ€” AWS CloudFront + S3 Static Deployment

The current architecture is a static React SPA deployed on AWS CloudFront + S3, with disaster recovery on GitHub Pages, resulting in minimal infrastructure costs.

Cash Flow Overview

Time FrameMonthly (USD)Annual (USD)
Total Infrastructure$7.00$84.00
Security Tooling$0.00$0.00
Development CI/CD$0.00$0.00
Grand Total$7.00$84.00

Note: Black Trigram leverages free-tier and low-cost services for open source projects. The primary recurring costs are AWS CloudFront/S3 hosting, Route 53 DNS with health check failover, CloudWatch monitoring, and domain registration.


๐Ÿ—๏ธ AWS Infrastructure Cost Breakdown

ComponentServiceMonthly (USD)Annual (USD)Notes
HostingAWS S3 (Static Site)$0.50$6.00Static assets, low-traffic educational site
CDNAWS CloudFront$2.00$24.00Global edge distribution, HTTPS termination
DNSAWS Route 53$1.50$18.00Hosted zone + DNS queries + basic health check for DR failover to GitHub Pages
DomainDomain Registration$1.00$12.00Annual domain renewal (~$1/mo averaged)
SSL/TLSAWS Certificate Manager$0.00$0.00Free TLS certificates for CloudFront
DR HostingGitHub Pages$0.00$0.00Free disaster recovery for public repos
MonitoringAWS CloudWatch (basic)$2.00$24.00Basic monitoring and alarms
AWS/Infra Total$7.00$84.00

๐Ÿ›ก๏ธ Security & DevOps Tooling (All Free Tier / OSS)

ComponentServiceMonthly (USD)Annual (USD)Notes
CI/CDGitHub Actions$0.00$0.00Free for public repos
Code ScanningGitHub Advanced Security$0.00$0.00Free for public repos
Dependency ScanningDependabot$0.00$0.00Free for all repos
SASTSonarCloud$0.00$0.00Free for open source
SBOMGitHub SBOM + SLSA$0.00$0.00Free for public repos
Tooling Total$0.00$0.00

๐Ÿ“Š Cost Analysis by Architecture Component

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e8f5e9',
      'primaryTextColor': '#2e7d32',
      'lineColor': '#4caf50',
      'secondaryColor': '#e3f2fd',
      'tertiaryColor': '#fff8e1'
    }
  }
}%%
pie title Monthly Infrastructure Cost Distribution (\$7.00/month)
    "AWS CloudFront CDN" : 2.00
    "AWS CloudWatch" : 2.00
    "AWS Route 53 DNS" : 1.50
    "Domain Registration" : 1.00
    "AWS S3 Hosting" : 0.50

๐Ÿ” Security Investment Analysis

Current Security Tooling (Incremental Cost โ€” All Free/OSS)

Note: This table covers incremental security tooling costs only. Security-related AWS infrastructure services (e.g., CloudFront, CloudWatch) are accounted for separately under the infrastructure cost breakdown above.

Security ServiceProviderAnnual CostISMS Policy Alignment
SAST ScanningSonarCloud$0.00Secure Development Policy
Dependency ScanningDependabot + npm audit$0.00Vulnerability Management
Secret ScanningGitHub Secret Scanning$0.00Cryptography Policy
Code ScanningCodeQL$0.00Secure Development Policy
Supply ChainSLSA Level 3 + Scorecard$0.00Open Source Policy
License ComplianceFOSSA$0.00Open Source Policy
E2E TestingCypress (OSS)$0.00Secure Development Policy
Unit TestingVitest (OSS)$0.00Secure Development Policy
CDN SecurityAWS CloudFront (built-in)Included in infrastructure costNetwork Security Policy
TLS CertificatesAWS Certificate ManagerIncluded in infrastructure costCryptography Policy
Total Incremental Security Tooling Cost(excludes AWS security services costed in infrastructure)$0.00See infrastructure cost breakdown

Security ROI Metrics

Note: ROI figures below cover incremental security tooling and services only (all currently OSS/free). Security-related AWS infrastructure (e.g., CloudFront, CloudWatch, Route 53 health checks) is accounted for separately under infrastructure costs and currently totals โ‰ˆ$54.00/year across ISMS policy areas.

MetricValueSource
Total Security Tooling Investment$0/yearFree OSS tooling (excluding AWS infrastructure spend)
Vulnerability Detection Rate>95%Automated scanning pipeline
Mean Time to Detect (MTTD)<24 hoursAutomated CI/CD scanning
Code Coverage (Target)>80%Vitest + Cypress (target; see UnitTestPlan.md for current coverage)
Supply Chain ScoreOpenSSF ScorecardAutomated assessment
SLSA LevelLevel 3GitHub Actions attestation
CII Best PracticesPassingCore Infrastructure Initiative

๐Ÿ—๏ธ AWS Infrastructure Security Architecture

Current Production Architecture

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e3f2fd',
      'primaryTextColor': '#01579b',
      'lineColor': '#2196f3',
      'secondaryColor': '#e8f5e9',
      'tertiaryColor': '#fff8e1'
    }
  }
}%%
flowchart LR
    subgraph USERS["๐ŸŒ Users"]
        BROWSER["๐Ÿ–ฅ๏ธ Browser<br/>Korean Martial Arts<br/>Education"]
    end

    subgraph AWS["โ˜๏ธ AWS Infrastructure (\$7.00/month)"]
        CF["๐ŸŒ CloudFront CDN<br/>\$2.00/month<br/>Global Edge Distribution<br/>TLS 1.3 Termination"]
        S3["๐Ÿ“ฆ S3 Bucket<br/>\$0.50/month<br/>Static Site Hosting<br/>Versioning Enabled"]
        R53["๐Ÿ”— Route 53<br/>\$1.50/month<br/>DNS Management<br/>Health Check Failover"]
        CW["๐Ÿ“Š CloudWatch<br/>\$2.00/month<br/>Basic Monitoring<br/>Alerts"]
        ACM["๐Ÿ”’ ACM<br/>\$0.00/month<br/>TLS Certificates<br/>Auto-Renewal"]
    end

    subgraph DR["๐Ÿ”„ Disaster Recovery (\$0/month)"]
        GHP["๐Ÿ  GitHub Pages<br/>Free DR hosting<br/>Automatic failover"]
    end

    BROWSER --> R53
    R53 --> CF
    CF --> S3
    CF --> ACM
    CW --> CF
    CW --> S3
    R53 -.->|Health Check Failover| GHP

    style AWS fill:#e3f2fd
    style DR fill:#f3e5f5
    style USERS fill:#e8f5e9

AWS Security Controls (Included in Base Cost)

Security ControlAWS ServiceAdditional CostISMS Alignment
HTTPS EnforcementCloudFront + ACM$0.00Cryptography Policy
DDoS ProtectionAWS Shield Standard$0.00Network Security Policy
Geo RestrictionCloudFront$0.00Access Control Policy
Access LoggingS3 + CloudFront$0.00Information Security Policy
VersioningS3 Versioning$0.00Backup & Recovery Policy
Origin AccessCloudFront OAI/OAC$0.00Access Control Policy
Security HeadersCloudFront Functions$0.00* (assumes free-tier usage)Secure Development Policy

CloudFront Functions pricing includes a monthly free tier (e.g., first 2 million invocations); this plan assumes usage remains within that free tier. Higher invocation volumes will incur additional per-invocation charges according to AWS regional pricing and will increase the AWS Infrastructure and TCO figures accordingly.


๐Ÿ’ฐ Total Cost of Ownership (TCO) Summary

3-Year TCO Projection

Cost CategoryYear 1Year 2Year 33-Year Total
AWS Infrastructure$84.00$84.00$84.00$252.00
Security Tooling$0.00$0.00$0.00$0.00
CI/CD Pipeline$0.00$0.00$0.00$0.00
Compliance Tools$0.00$0.00$0.00$0.00
Development Tools$0.00$0.00$0.00$0.00
Total$84.00$84.00$84.00$252.00

Cost Efficiency Analysis

MetricValueBenchmark
Monthly cost per user<$0.01Educational gaming platform
Security cost per vulnerability found$0.00All automated, free tools
Infrastructure cost ratioLow-cost AWS infra; most security/dev tooling free-tier/OSSOpen source project
DR cost overhead$0.00GitHub Pages as free DR
Compliance cost$0.00OSS tools (SonarCloud, FOSSA, Scorecard)

๐Ÿ“ˆ Cost Optimization Strategies

Current Optimizations

  1. ๐Ÿ†“ Open Source Advantage: All security scanning tools are free for open source projects
  2. โ˜๏ธ AWS Free Tier: CloudWatch includes an ongoing Free Tier with fixed quotas for metrics, logs, and alarms; the current cost breakdown and illustrative $84/year TCO assume a low-volume workload with an estimated โ‰ˆ$2/month CloudWatch portion that will increase if usage exceeds those free-tier quotas
  3. ๐Ÿ“ฆ Static Architecture: No server-side compute costs (no Lambda, EC2, or containers)
  4. ๐Ÿ”’ Built-in Security: AWS Shield Standard and CloudFront security headers at no additional cost
  5. ๐Ÿ”„ GitHub Actions: Unlimited CI/CD minutes for public repositories
  6. ๐Ÿ“Š DR at Zero Cost: GitHub Pages provides automatic disaster recovery hosting

Future Cost Considerations

If the platform evolves beyond a static frontend (see FUTURE_ARCHITECTURE.md):

Evolution ScenarioEstimated Monthly CostKey Cost Drivers
Current (Static SPA)$7.00CloudFront + S3 + Route 53
+ API Gateway + Lambda$15-25Serverless compute
+ DynamoDB$25-40Data persistence
+ WAF + GuardDuty$50-75Enhanced security services
Full AWS Stack$75-100All AWS security services

๐Ÿ”„ Budget Alignment with ISMS Policies

Security Investment by ISMS Policy Area

๐Ÿ›ก๏ธ ISMS Policy๐Ÿ’ฐ Current Annual Cost๐Ÿ”ง Services Used๐Ÿ“Š Business Value
Secure Development Policy$0.00SonarCloud, CodeQL, Vitest, CypressAutomated code quality and security
Vulnerability Management$0.00Dependabot, npm audit, ScorecardContinuous vulnerability detection
Cryptography Policy$0.00AWS ACM, GitHub Secret ScanningTLS certificates and secret protection
Network Security Policy$24.00CloudFront, AWS Shield StandardCDN and DDoS protection
Access Control Policy$0.00CloudFront OAC, S3 bucket policiesOrigin access control
Backup & Recovery Policy$6.00S3 Versioning, GitHub Pages DR, Route 53 health check failoverMulti-layer backup strategy with automatic DR failover
Information Security Policy$24.00CloudWatch, Access LogsMonitoring and audit logging
Total$54.00

IconDocumentRelationship
๐Ÿ—๏ธArchitectureSystem architecture overview
๐Ÿ›ก๏ธSecurity ArchitectureSecurity model details
๐ŸŽฏThreat ModelRisk-driven security justification
๐Ÿ”ฎFuture ArchitectureEvolution roadmap
๐Ÿ”šEnd-of-Life StrategyTechnology lifecycle management
๐Ÿ“‹BCPPlanBusiness continuity planning
๐Ÿ“–READMEProject overview
๐Ÿ’ผSWOTStrategic assessment

๐Ÿ“‹ Document Control

Approved by: James Pether Sรถrling, CEO, Hack23 AB Distribution: Public (GitHub Repository) Classification: Confidentiality: Public


๐Ÿ† Framework Alignment

ISO 27001:2022 NIST CSF 2.0 CIS Controls v8.1