In Part 1 of my previous blog, “The Cybersecurity Business Case – An Arduous Challenge”, I talked about the 3 key elements of a typical business case and the creation of a security plan. In this blog we will look at what’s next to consider in the process of creating a cybersecurity business case.
A potential issue lies in the quantity of potential actions required to secure a system. Completion of a security plan will result in a list of dozens of potential actions to improve security. How do you manage deciding which fixes to implement? One way is to list all of the potential improvements in a single project. This technique will undoubtedly result in the specification of a large project that consumes significant resources that may be held up by the management team. The risk assessment done as part of the security plan will enable the prioritization of potential actions. This will enable the company to create a series of phased projects where an initial project can implement fixes to address high risk vulnerabilities, and subsequent projects can address moderate and lower risk vulnerabilities. This makes implementation easier to accept by management, by phasing total cost over time.
The second and more difficult part of creating the business plan involves populating the dollars the project will generate. For cybersecurity projects, improved security results in cost savings by preventing losses that could have caused by a security breach. This is particularly difficult for cybersecurity projects for a number of reasons, specifically;
- It is very hard to estimate the number of times control systems are attacked. There are statistics that track the number of cyber attacks across all applications (IT, control, and residential), but there is limited statistics that track attacks targeting control systems. The few statistics available are not very specific. For example, there were 297 cyber attacks against critical infrastructure in the US in 2015 (Source: ICS-Cert). This does not tell us the number of attacks against non-critical infrastructure or the number of attacks occurring outside the US. It does not provide guidance on year over year growth rate. Data for specific segments (mining, water, etc.) is also difficult to acquire. In addition, many customers choose not to publish cyber-attack data as there is a fear that attacks can impact company reputation.
- In some cases, the risk of attack is based on a company’s present security posture. If a company has no countermeasures in place, risk of attack is higher than that of a company with some countermeasures in place. This is another factor that has to be taken into consideration when characterizing potential risk.
- It is difficult to assess the potential cost of a security breach. Some potential compromises include loss of critical data (understanding of how the secret sauce is made), modifying system behavior (difficult to characterize damage), impact system availability, damage to company image (difficult to characterize), or loss of life in a safety process. It is easy to characterize the cost of downtime, but it is difficult to estimate the amount of downtime that will be triggered by an event. There are some attacks that have specific costs associated with them. For example, ransomware encrypts data on a network element, and a fee has to be paid to decrypt the element. The average fee to decrypt files is $697. However, this includes ransom charged to both individual computers and companies. If the hacker recognizes that he has comprised an asset of a company he will charge more to decrypt files. Useful statistics for most attacks are not available. Some examples of published statistics are provided below:
- In 2016, the average annual loss per company worldwide was $9.5 million.
- In the U.S., the average annual loss per company was $17 million.
- Cyber-crime will cost businesses over $2 trillion by 2019.
- The average cost of a data breach will exceed $150 million by 2020.
- $209 million = FBI’s estimate of dollars lost to ransomware attacks in Q1’16.
- $1 billion = Estimated total cost of damages related to ransomware attacks using cryptographic file-locking software in 2016.
Source all statistics: Noteworthy Cybersecurity Statistics, Amy Burnis, CyberaArk, January 18th 2017.
How does a company use these statistics to characterize loss in a business case? The average loss statistics cover all company types, including financial institutions who loose customer records. These statistics are not necessarily applicable to a regional water / waste water company or mid-sized manufacturing concern.
- Another factor that comes into play when calculating the cost associated with a security breach is the forensic analysis. A forensic analysis attempts to determine the cause of a breach to prevent future incidents. Forensic analysis is not typically covered by insurance companies.
Thus, it is difficult to create a cybersecurity business case for the reasons cited above. Recommendations to gather data to properly justify cybersecurity expenditures include:
- Begin by initiating a project to create a security plan. The plan can be prepared by internal staff or, if cybersecurity domain knowledge is lacking, an organization with the desired skill set. Schneider Electric for example has a cybersecurity services practice in place to help customers create a security plan for their installation. A quote can be obtained to size the cost of the security plan.
- Upon completion of the security plan, a series of phased security projects can be proposed. High risk vulnerabilities should be addressed in initial phases. Cost details will be provided from the security plan.
- Cybersecurity improvements will not generate revenue; they will mitigate potential losses. Individuals can attempt to characterize potential losses by estimating the probability of attack, and assigning potential damage (downtime, company image, loss of life, and loss of process data). One great way to assess potential damage is to discuss the topic with peers at industry events. Individuals can also talk with major system vendors to determine if the vendors have data that could be used in a business case. Industrial cybersecurity trade shows and events are also a great source of data.
In conclusion, there is no easy solution, insuring that cybersecurity business cases will remain an arduous challenge for the foreseeable future. Individuals can take some consolation that projects to improve cybersecurity are routinely approved despite the lack of data.