Risk-based information security investments
They're not an easy undertaking, but are worth pursuing
Ask a senior executive or board member about their experience evaluating investments in cybersecurity solutions. You will undoubtedly hear frustration understanding the return-on-investment of cybersecurity controls. The argument that “bad things will happen” if we do not invest is not exactly an evidence-based position.
These discussions have come center stage with the onslaught of cyberattacks, any of which result in penalties and fines for data privacy violations, and hefty ransomware payments.
Information technology risk is a form of operational risk, defined as losses incurred for inadequate or failed internal processes, people or systems. It differs from other financial risks executives typically asses based on ROI (credit risk, new product development, plant and equipment, etc.). Operational risks do not yield positive returns, and potential losses may be a catastrophic “black swan” event. They are challenging to model, earthquakes are a good example.
Modeling information security risks has typically used qualitative methods, often referred to as “scoring.” The scoring methods are highly subjective and use ordinal rankings (1,2,3,4). The problem is compounded when attempting to perform mathematical operations (such as multiplying a “score” by likelihood and impact) that is not recognized by statisticians or mathematicians as valid.
The excuse of insufficient data, or limited knowledge of exposures to implement quantitative analyses, are without merit. Douglas Hubbard, creator of the Applied Information Economics Method and founder of Hubbard Decision Research, notes “cybersecurity can use the same quantitative language of risk analysis used in other problems,” adding “there are plenty of fields with massive risk, minimal data, and profoundly chaotic actors that are regularly modeled using traditional mathematical methods.”
The Open Group, a global consortium has proposed a risk taxonomy with a common language as a first step necessary to describe elements of IT Risk, and facilitate quantitative analysis; here are some of the elements:
- Identification of critical business information: Understanding what critical assets need to be protected is the first step. The Center For Internet Security controls framework describes details on how to identify key information assets (customer databases, financial information) as well as hardware, software, and network assets. An analysis of current business systems and procedures, use cases, etc., will assist in identifying what data and business processes exist and which are most critical.
- Identification of threats and attack vectors: The specific nature of threats needs to be examined. Which “threat communities” pose the most risk to your organization? Are they nation-states, cyber criminals, cyber vandals, amateur hackers, competitors, inadvertent actions by insiders? The vector is basically an analysis of the path through which an attacker can gain access to exfiltrate private/confidential information or plant ransomware.
- Forecasting loss magnitude and loss frequency: Losses may be categorized as theft of intellectual property, fines from compliance violations, ransomware payments, lost revenues, reputational loss, etc., and are used to estimate loss magnitude. The estimated loss frequency (more than “this may happen,” but within what time period) needs to be estimated. The extent of many cyber-control ROI proposals is “this may happen” without an expression of frequency and/or estimates on loss per event.
Risk-based cybersecurity investment utilizes quantitative analytic methods. Analytics estimate the statistical probability of a specific type of loss occurring, and the probable loss amount.
Implementing a risk-based approach is not an easy undertaking. The takeaway here is this: setting a strategic goal to move toward quantitative risk analysis is step one vs. attempting an immediate implementation. The process should be understood and embraced before implementation details are considered. This should not impede implementation of basic cybersecurity controls.
Don Guiou is an information risk consultant based in Jaffrey.