When is an extra security control worth the cost?
There are many security controls to choose from, but they are not all created equal. We, as security experts, are not good at estimating or explaining what the security benefit of investing in a new control would be in business terms. Is it worth the cost?
There have been academic attempts to quantify this, such as the Gorden-Loeb model (GLB for short):
TEC(S) = S + v(S)L
In this equation, TEC is the total expected cost, and is modeled as S for security investment, v(S) is a vulnerability function estimating the probability of a successful cyber attack occurring, and L is the loss resulting from the cyber attack. If you can somehow estimate the reduction in probability of a successful attack from your security investments, you can quantify and compare different controls. The probability function is often expressed as an exponential decay depending on a "security control efficiency parameter", α:
v(S) = v_0 \exp{-\alpha S}
This makes intuitive sense, the first security investments you make will make the biggest impact, and then the effect diminishes over time. The parameter v_0 is the nominal probability of a successful cyber attack, which is the probability without any further security investments.
All of this is good, but not so easy to apply when you are going to choose between more security training or upgrading your firewall. The model also doesn't take into account that you can have loss limiting controls, such as faster restore times, making also the loss of a successful attack a function of the security investment. We may, however, take some inspiration from this approach to try to land on a pragmatic quantification of cyber risk, and the benefit from investing in security controls.
Consider a home cleaning business, with a few employees, SuperClean. This business does not have a bit IT department, but depends on digital tools and data flows for its operations.
The business has 4 main business processes:
They use Google Workspace for their day-to-day IT needs, and a cloud based finance system for accounting, invoicing and payroll. Let's say they have done a risk assessment, and decided that a the highest risk scenario is ransomware targeting Google Workspace. They are worried about the general manager approving OAuth phishing, giving attackers full access to the cloud environment. After some thinking they have concluded that such a ransomware attack would cause them to lose all business for 2 weeks, and also lose some future business due to negative news, with an estimated cost of € 50 000, including the cost of setting up the system again. The biggest worry here is a lack of backups.
The firm has identified 4 possible security controls they are considering investing in to reduce the risk:
领英推荐
Based on available data from media, the cleaning company estimate sa 25% chance of becoming a ransomware victim in a 12-month period without further security investments. That gives a expected cost of €12.500. By trying to quantify the benefit of each control like this, we can compare different choices. The model is a simplification, the benefit of a control can depend on which controls have already been selected, and not all controls will provide the same benefit in every company - but all models are wrong and some are useful. We can make a table and calculate the TEC for different combinations of control choices:
TEC(1,2,3,4) = 5060 - an improvement.
TEC(1,2,3) = 4600 - estimated total cost is lower without the awareness training!
TEC(1,3) = 1700 - this is a big improvement, getting rid of those costly MSP assistance hours also improves it, because they don't provide a lot of risk reduction.
In our model we have not included the effect of diminishing returns of security investments; the effect of the sequence of investments has not been modeled. In some contexts this may be significant, as the friction security controls are causing depends on the organization's security maturity, which takes time to build.
This type of modeling can help, but is of course sensitive to your assumptions. It can be difficult to estimate the true cost of a control, which typically will consist of 3 factors; initial acquisition cost, maintenance cost, and productivity reduction through workflow friction. All these factors should be considered when estimating the cost. For security friction, the effect of a single control is unlikely to be very high, but the cumulative effect of many controls can lead to significant productivity reduction, and also drive shadow IT usage, which will be detrimental to cyber risk.
Estimating the effect of a control on probability of successful incidents or cost of the incident can also be quite challenging. Using historical data from within the organization is helpful, as well as analytical approaches such as threat modeling that can help estimate reduction in vulnerability exposure or reduced time to detection or recovery.
Overdoing it?
Analysis is helpful for optimization, but remember that a model is just a model. Don't get stuck in a situation where necessary investments are not done because you are always looking to improve the models and optimization routines. It is also OK to make decisions that are not supported by the model; you may have insights that are not captured in the model.
Use models to support analysis, to make communication easier, but remember they are no better than the assumptions and data going into them!
VP of Industrial Cybersecurity, technical researcher, and critical infrastructure enthusiast
3 个月Nice work! I really like the concept. I have some real numbers from another life regarding cyber informed TCO - I can share the deck I presented a couple of times. Happy to chat and compare notes.