This is a short post of a simple of Cyber Economics framework to help organisations develop investment strategies to reduce Cyber Risk. The framework is based on a research paper produced by AFCEA International Cyber Committee. This document was created in 2013 but the principles are still the same in 2020 as well as the challenges experienced by the industry.
The main two aspects of this Cyber Investment framework are
- The threat sophistication
- The criticality of the mission / business supported and/ or data protected by these security investment (security controls).
The reason to consider these two aspects in the framework are
- The level of sophistication of the cyber threat, the majority of the threats are unsophisticated with only a small percentage considered sophisticated or highly sophisticated; therefor to reduce the cyber risk the first priority is to tackle this category of threats (unsophisticated)
- The criticality of the mission supported, organisations must focus their cyber risk reduction efforts to mission critical functions of the business, to avoid business disruption and regulation penalties
This report dates from 2013 but these two aspects continue being true. I do not know the exact percentage of unsophisticated threats encountered today globally by organisations, however, coming from an operations background I can confirm that most the threats that an organisation will encounter will be unsophisticated. I would not be surprised if the percentage is even higher than in 2013, due to the free circulation of open source trade-craft created by the research community and that it is often seen being used by malicious actors in their campaigns. This obviously sets the priority when setting a cyber strategy for cyber risk reduction and investment within the organisations.
If the majority of attacks encountered by organisations across the world are unsophisticated, it makes financial sense and a priority to develop a security control baseline that protects the organisation against the majority of the threats. Some of these attacks may or may not cause a significant impact, however, the deployment of a baseline should be enough to considerably reduce the exposure of the organisation implementing it.
Organisations that need to start developing a security control baseline or need to benchmark their baseline can use the following references.
- CIS Top 20
- ASD Top 35
- NIST SP 800-53, Appendix D
These baselines when properly selected and implemented are meant to stop around 75% to 85 % of threats according to the Australian Signals Directorate (ADS) and the Center for Internet Security (CIS).
One of the most important findings of this paper is that “organisations typically invest in baseline security controls and processes that are mostly overlapping and redundant to the baseline controls” furthermore “this overlapping controls can result in increase complexity and gaps in security effectiveness that often result in a weakening of the collective set of baseline controls”.
Cyber assessments are key to provide situational awareness and make the right decisions for controls investment to reduce exposure to cyber risks, thus they are the foundation previous to an investment.
The simplicity of this framework allows all organisations to understand the journey they have to take to reduce their exposure while making the right financial decisions. In my next post, I will explain how the framework tackles the deployment of advanced security controls for the most critical functions of the organisation; and how it can be extended to match each part of the journey with an adversary class operating in the cyberspace.
Ultimately, this is a model that allows to develop an investment cyber strategy that factors in the nature of the threat that an organisation expects to encounter while remaining financially sounded and protecting the functions that are most critical for the survival of the organisation.