An argument can certainly be made that the economics of cybersecurity largely favor the attacker. While the takedown of Darkode was a win for the good guys, at least temporarily, the unfortunate reality is there remains a multitude of other underground forums where criminals can gain easy access to the tools and technical support needed to organize and execute an attack. A simple search can get you quick access to virtually any tool needed for the job. Our role as executives and security professionals is to make sure these adversaries roaming these virtual havens of nastiness have to spend an inordinate amount of resources to try and achieve their objectives.
Many organizations are working to tip the scales back in their favor through a more integrated approach to security that not only includes increased spending and coordination across technology use and deployment; but also are looking at how they can improve overall efficacy through improved people training and policy management. These changes obviously come at a cost.
Many organizations are asking the natural question – how much do I really need to spend on security in order to tip the scales in my favor? In order to answer that question you must first quantify the impact and risk of a cyber attack.
At its annual meeting the World Economic Forum released an initial report that attempts to build a common framework for quantifying the impact and risk associated with cyber attacks. Now there’s a lot of work that still needs to be done to unify around a common approach. But the thought process that the World Economic Forum and other organizations are applying is quite interesting.
The World Economic Forum suggests using the value-at-risk mathematical function widely adopted by the financial services industry. At its simplest level, value-at-risk refers to the potential tradeoffs between value gained and the potential risks assumed. For example, let’s consider a migration of assets into a public cloud environment. Doing so could result in loss of visibility and control of those assets. There’s no question the cloud brings tremendous value, but at what cost? And could those costs be mitigated through investment in new security technologies? Yes. But does that investment align with risk?
There are three main components factored in the value-at-risk model - vulnerability, assets, and the profile of a potential attacker. Up to this point we’ve primarily talked about criminal based motives. But the reality is many organizations have to plan and account for the potential of terrorism, espionage, or even warfare-led motives. These latter categories are more often state-sponsored and thus likely to be backed by a higher level of sophistication and funding. The techniques and tools used by this organization can easily overwhelm an organization that’s underfunded and ill prepared.
At the center of the value-at-risk model are an organization’s tangible and intangible assets. Intangible assets include IP, privacy data that if lost could impact an organization’s reputation or brand. Tangible assets typically include infrastructure, systems or production capabilities that if compromised could result in temporary or long-term business interruption. The financial impact of a security breach, and likelihood that an organization could be an eventual target is directly tied to these assets. Most would agree it’s a completely valid business decision to accept risk and equate investment to the estimated financial impact of a security breach. The challenge becomes calculating what those true costs might be. Most organizations wildly miscalculate this cost. These are going to vary widely depending on the nature of your assets and overall business. Make sure to take the time to identify these assets, and utilizing some of the examples (e.g. Sony, Target) to calculate realistic scenarios.
The final component within the value-at-risk model is vulnerabilities, which relate to those systems put in place to protect tangible and intangible assets. It could also relate to systems that may be targeted in order to impact an organization’s production capabilities (e.g. SCADA). Identifying and acknowledging vulnerabilities is another area that’s regularly miscalculated. The likelihood of a breach relates directly to the value of the assets targeted. But that likelihood can also be fueled by an adversary’s knowledge of your vulnerabilities. If a given target asset exists within three or four different organizations, the adversary is naturally going to navigate towards the most vulnerable. Go for the weak lamb in the flock.
By analyzing the interconnectedness between these three major components, organizations can gain a better understanding of what their ultimate risk exposure might be. For example, if the assets are high value in nature, adversaries are going to be more willing to invest significant resources to achieve their objectives. The nature of those assets will also guide you to pinpointing likely adversaries – organized crime, nation-states that will utilize more advanced tools and tactics. Similarly, if it’s known that your organization is using dated, more vulnerable systems, that’s going to present a more attractive target and thus increase the volume and likelihood of attacks. Both scenarios increase risk at the end of the day.
Some organizations have made the move to bring on chief risk officers. If you don’t fall into this camp ask the question - what is your organization doing to quantify the value and impact of a breach? And how is this information used to determine appropriate spend levels? You’d be surprised how many organizations haven’t made either connection.