Figuring out CyberSecurity Return On Investment ISSA June Meeting
Need for a Common Language
The path forward Developing a ROI based Strategy to Cybersecurity Research Risks and Common Threat Sources Monetize Risks and Prioritize Threats Discuss and seek approval Review company asset at risks. Review community and market based security threat reports. Convert identified risks into monetary loss. Seek insurance premium or calculate annual probability of loss. Calculate costs to combat common and market threat sources Present risk reduction as annual cost savings to loss against the investment. Present investments in protections against top threat sources
Method 1: Analysis of Risks Cybersecurity investments return value as a Asset Risk Reduction action and a Breach containment reaction
Management of known Risks Risks A($30M), B($25M), and C($15M) is roughly $70M of the $131M total Risk. If the cost of a control is $4M for items A, B, and C. Then, the ROI is $70M/$4M Look for the Highest risks and costs of controls and/or cybersecurity insurance to bring the risks within tolerance.
Method 2: Estimating loss from peers and looking for sources IBM Security/ Ponemon 2018 Cost of Breach Report On Average in the US, you have 13.5% probability each year of breach and average cost of $7.91M or $1M/year average
Small businesses have a worst experience The U.S’ National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber attack. Ponemon 2017 State of Cybersecurity in SMBs The average cost due to damage or theft of IT assets and infrastructure increased from $879,582 to $1,027,053. The average cost due to disruption to normal operations increased from $955,429 to $1,207,965.
What does the future look like? Total global value at risk to Cybercrime over the next 5 years Accenture 2019 Cost of Cybercrime Study For an average G2000 company—with 2018 revenues of US$20 billion—the value at risk translates into an average of 2.8 percent of revenues, or US$580 million, each year for the next five years. Global value at risk to Cybercrime by Industry over the next 5 years On Average in the US during the next 5 years, you have 13.5% probability each year of loss equal to 2.8% of future revenues. This doesn’t include existing risks! However, we may be able to use this information to determine unknown existing risks in a careful manner.
Breach - Asset Category What are the sources of Loss? Breach - Threat Actions Breach - Asset Category Verizon’s 2019 Data Breach Investigations Report Use percentages to derive Loss mitigation against expenses
Invest to reduce Loss from attacks Leverage 2FA or MFA Educate users against social engineering attacks – 20% of Loss Leverage next generation endpoint protections Verizon’s 2019 Data Breach Investigations Report Endpoint – 30% of Loss “Training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets.” Accenture Ninth Annual Cost of Cybercrime Study
Invest to reduce Loss from attacks Obvious stuff: Audit and patch OS 2019 Trustwave Global Security Report Routinely scan internet facing applications for vulnerabilities Audit server configurations of Dev-Ops Servers and Web Applications – 65% of loss Leverage Web Application firewalls with threat feeds and patterns
Invest to reduce Expense when a Breach occurs or in process Accenture 2019 Cost of Cybercrime Study I don’t really have any monetary statistics yet to calculate direct ROI on these investments. 2018 IBM and Ponemon Cost of Breach Report