Pity the benighted chief financial officer (CFO) – or at least try.
He presides, Solomon-like, over the purse-strings of his organization. All manner of internal departments compete for finite funds, all with urgent needs. Which projects will live, and which ones will die? These are the decisions he must make daily.
Arming senior IT executives with a rational, economic approach to allocating security funds is the aim of a new book, Managing Cybersecurity Resources: A Cost-Benefit Analysis by Lawrence A. Gordon and Martin P. Loeb, both professors of managerial accounting and information assurance at the University of Maryland.
Written in plain English, the book provides a framework for building compelling business cases that will warm the cockles of the CFO’s heart.When we first started doing this, people said it was voodoo economics, to which we politely replied, that’s nonsense.Lawrence A. Gordon>Text
“We wanted to make these economic concepts accessible to the people who can make best use of them,” says Gordon, who leads the academic team that reviews the annual Computer Security Institute (CSI) and FBI Computer Crime and Security survey. The book is based on seven years’ research in an emerging field, the economic aspects of information security. “Organizations don’t have infinite resources to allocate to any one thing. Cybersecurity is no different.”
However, some claim cybersecurity is indeed in a different category, and thus beyond the purview of the dismal science. Gordon is unimpressed with such arguments. “When we first started doing this, people said it was voodoo economics, to which we politely replied, that’s nonsense.” There are some aspects of cybersecurity investment that make cost-benefit analysis difficult, he says, but it can and should be subject to the same scrutiny.
Cybersecurity projects are in an investment category called cost-savings projects, he explains. These are projects which, if done well, save the organization funds but don’t generate new revenue. Gordon points out there are many other investments in this category, including IT itself. “Twenty-five years ago, people said using net present value (NPV) models to justify IT investment was also voodoo economics. But today, all major corporations use some form of NPV modeling to at least get a handle on the parameters.”
What’s unique about cybersecurity, he says, even within the realm of cost-savings projects, is that savings generated when the job is done well can’t be observed. If a legacy computer system is replaced because the new one does a better job faster with fewer people, then the savings can be quantified. With security, expenditure is associated with the costs of breaches: losses due to theft of data, downtime, and so on. But the savings are ambiguous: how many cyber attacks are prevented by infosec measures? Or is the absence of attacks just dumb luck? Here we enter the realm of probability.
“If the cybersecurity job is done well, then you’ll never really see the cost savings, so they are more difficult to estimate. However, that doesn’t preclude the fact that you still have to look at the uncertainties via cost-benefit analysis. It means you have to bring in risk management and more sophisticated kinds of analyses. But the concepts are still applicable, because you still have resource allocation decisions to make,” says Gordon.
While far from perfect, information about the number and types of cyber attacks that occur is steadily accumulating, he says. Organizations such as the CSI, FBI and CERT collect data, and there is evidence, post-Sarbanes Oxley, that firms are disclosing more information in their annual reports about their infosec than in the past, says Gordon. There is enough information available about occurrences of attacks to allow organizations make reasonable estimates in general, he says.
The other part of the equation is assembling information in an orderly fashion about the breaches the organization experiences in particular. One of the first orders of business in rationalizing resources is developing a three-dimensional cybersecurity cost grid. This means tracking and classifying the three main categories of breaches: loss of confidentiality, availability and integrity of data, and tracking the implicit/explicit and direct/indirect costs associated with each category.
“Organizations can then set up a priority system and decide where they want to put money first. This doesn’t mean you give all the money to the greatest area, because at some point there are diminishing returns. You want to put money where you get the most initially, then move it along,” says Gordon.
A mistake many organizations make is assuming all breaches are costly, he says. “The general thinking is that a breach is a breach. But most are not costly, in an economic sense.”
In a recent study, Gordon and his colleagues looked at the costs associated with different types. Breaches of confidentiality – theft of customers’ credit card numbers, for example – do have a devastating impact on the stock market value of corporations, leading to an average decline of about 5 per cent. This means a firm with a market value of $100 million would experience a decline of $5 million. Conversely, breaches of a non-confidential nature – denial of service attacks, for example – are not significant in a statistical sense, and are more like operating costs i.e. the cost of doing business.
How the economic models outlined in the book are used is very important, says Gordon. “No one is suggesting managers take the models, plug in numbers, and out comes how much to spend and where to allocate,” he says. Security managers need to use their business judgment and knowledge of their organization’s workings to make these decisions. However, the models support the decision-making process by identifying the key parameters, risk issues, potential security breaches and investments that can be made.
Some major consulting firms sell cybersecurity cost-benefit models and services, and to the extent they are based on sound economic principles, says Gordon, they too can assist decision-making. “Economics is economics,” he says. “But what’s different is we’re not selling our approach, and we have no financial incentives. We want to see our research utilized.”
Managing Cybersecurity Resources could be described as an open source, self-serve approach to infosec. “Our goal is to get other people to apply this to their own organizations – they know their needs best,” he says. “In fact, we’ll discuss the model over lunch with any organization’s representatives who come to us for help applying the book’s principles for free.”
Bruce McConnell, president at McConnell International, a Washington-based technology policy and management consultancy, believes the book is one of the first serious attempts to develop a methodology that allows cybersecurity managers to tackle investments in a systematic way.
“This codifies the risk-based approach and quantification of risk via probability, and is an [improvement] on the state of the art,” says McConnell, who was involved in tightening information security at the White House in a former position. “The draw