MARKET - Economics - CYBER SECURITY - Decision Models
Economic Decision Models in Cyber-Security
Traditional management models rely on cost-benefit trade-offs in order to assess whether it is worthwhile to make an investment. Such cost/benefit trade-offs are important in order to assess whether a security strategy is really effective in achieving the stated goal of greater protection of information assets and information systems.
Assessing costs and benefits is a difficult undertaking in the privacy and cyber-security (PACS) domains. For example, there are direct costs that only accrue to the firm making the decision (such as a purchase) and indirect costs (if the product fails, it might jeopardize the buyer’s supply chain). In the digital supply chain, the investment of one firm in a more secure system indirectly improves another firms’ security, if they are connected (so-called externalities).
Proactive and Reactive Investment Strategies
Firms face the choice of reactive versus proactive PACS investment strategies (Research Triangle Institute, 2006). According to this research, many firms (in different industries) state that they rely on existing technologies that enable quick implementation of patches, once vulnerabilities are identified.
Widespread anecdotal evidence suggests that firms beef up security, once they have been hit by a data breach (CBC News (2014). Target CIO resigns as security revamped over data breach). Many firms characterize themselves as employing a mix of proactive and reactive security strategies, presented as iso-security curves (Figure 1). The further these are away from the origin, the higher the level of security reached in this theoretical model.
Fig. 1 Firm Selection of Optimal Proactive/Reactive Mix
Source: Research Triangle Institute (2006)
An iso-security curve marks the trade-off of one strategy for the benefit of the other strategy. At the point $/PA for example, the firm devotes all its funds to the reactive strategy. The optimal mix of proactive and reactive strategies is given at the point of tangency of the budget line with the highest iso-security curve attainable given the budget constraint.
Costs and Benefits of PACS Products and Services
Table 1 shows some of the major components of the cost-benefit categories regarding PACS investments. Companies developing innovative PACS products/services will have a problem in making a value proposition, if benefits cannot be firmly ascertained, i.e., in terms of a tangible quantitative reduction of estimated risk. Moreover, there are “teachable moments:” Often, companies only react with increased spending on IT security after a large-scale data breach has occurred. It is then easier for IT staff to make a business case for greater IT investment spending.
Tab. 1 Costs vs. Benefits of Cyber-security Investments
|Personnel costs (set up of new in-house teams, tiger teams, etc.)||Decrease in security incidents & cybercrime losses|
|Purchase cost (hardware, software, consultancy services)||Reduction in costs of liability for breaches|
|Administrative costs||Increase in trust of customers|
|In-house R&D||Increase in company reputation|
|Opportunity costs||Protection from unfair competition (industrial espionage)|
|Reduction in switching of disgruntled customers to competitors|
|Increase in compliance (if a security duty of care is mandatory)|
Source: Jentzsch (2015).
Investment Obstacles in Innovation
Innovation is defined as the implementation of new or significantly improved procedures, products or services (OECD 2005: 46). Innovative privacy and cyber-security products need to prove their value added to top current systems in use. For decision-makers, innovative products are often related to several unknowns. Is a new seller really trustful? Is the new technology offered better than a tested and patched one? Does it tangibly reduce the risk of data breaches? Is it worth the investment? How does it change the vulnerability of a firm? Such unknowns make it harder for new technologies to penetrate a market. The ambiguity bias in decision makers (aversion of options with unknown probabilities) is a hurdle to overcome, for example by test-runs that enable the assessment of risks.
Security Returns on Investment Model
There are several models for the calculation of the returns on security investments (see references at the end of this website).
Returns on Investment: ROI is the expected return (eR) minus the investment costs (I) divided by I. For security investments, Sonnenreich et al. (2006) propose the ROSI model.
Returns on Security Investment
It includes the following factors:
RE = risk exposure (i.e. past observations on attacks)
I = investment costs
RM = mitigated risk (i.e. reduction risk)
Finding and developing risk metrics is not a problem. Finding accurate numbers to fill the variables with meaningful values is a challenge, though. Especially tricky is the problem of risk exposure: While the damage of discovered hacker attacks can be assessed, there might be a number of unobserved attacks and near-misses. Another complicating factor is the ever-changing nature of technology, datasets and networks, which constantly changes the risk landscape firms are facing.
In traditional fields of insurance, the probability of events and their damages can be derived from the actuarial tables. Actuarial tables in cyber-security and privacy are in development. The traditional Security Returns on Investment Model (see Figure 2) sets the costs of security measures in relation to the security level reachable by expending funds. Such models are typically used by the industry to demonstrate the value proposition of a product.
Fig. 2 Security Return on Investment Model
Moreover, decision makers need to employ them in order to compare different investment strategies with relation to privacy and cyber-security investments. Such investment, once regarded as sunk costs, are increasingly seen as economic enabler.
According to the above model the optimal level of security is reached when the cost of security countermeasures equals the costs of security breaches. Beyond this point, any increase in security expenditures does not compensate for the reduction in the cost of security breaches.
The above is a brief introduction in order to give practitioners an overview of decision models in use. It should not be understood as a support for any individual model as they do have their strengths and weaknesses as discussed.
Take me to the introduction on risks metrics.
The calculation of risk arising through mutual exposure along with other horizontal and vertical relations among market players, is a complex and almost impossible task, because it entails security information of the interconnected firms. These, however, have in general no incentive to share such information for fear of competition, litigation and reputation effects. The aforementioned network externalities also inhibit accurate calculation of security returns on investment. Sonnenreich et al. (2006) propose a computation of exposure as follows:
Annualized loss exposure: which is the product of Single Loss Exposure (SLE) times the Annual Rate of Occurrence (ARO). Again, the problem of correct measurement exists, i.e., filling the variables with meaningful values. Future development of metrics ought to account for the aforementioned externalities. Big Data analysis might in future remedy some of the lack of data.
In the area of measurement comprehensive overviews already exist. For example, Herrmann (2007) lists more than 900 security metrics. In Brotby and Hinson (2013) more than 150 metrics are listed, ranging from risk management metrics to IT security metrics to compliance and assurance metrics. The authors have made the list accessible over the Internet by putting it on their website as Excel file. Overviews are also presented by Mateski at al. (2012) and Swanson et al. (2003), among many others. Cyber-resilience metrics are discussed in Linkov et al. (2013). Privacy metrics, an area not well researched to date, will be discussed in the IPACSO framework (click here).
Back to MARKET
Related IPACSO Publications
Other quoted Publications
Research Triangle Institute (2006). Economic Analysis of Cyber-security, AFRL-IF-RS-TR-2006-227, Final Technical Report (July 2006).
Schneier, Bruce (2008). Security ROI: Fact or Fiction? Data Protection, Essay.
Sonnenreich, W., J. Albanese and B. Stout (2006). Return On Security Investment (ROSI): A Practical Quantitative Model, Report.