by Michael Werneburg
Information risk management today is popularized as a contest of wits and nerve fought in an abstract technological sphere. Hence the (stupid) word "cyber security". But behind all of that is an economic reality: this fight must be waged on limited resources. This reality may be decried by practitioners focused on "security" as an absolute – but economics are inescapable.
Smaller organizations are particularly susceptible. The ongoing stream of breaches – including some spectacular incidents at well-funded organizations – underscores the struggle nicely. If firms with soaring cyber security budgets can’t prevent a breach, what chance does a smaller organization have? Is it futile?
Perfect security is indeed a futile pursuit, especially for smaller organizations. But short of perfection, a spectrum of potential "right answers" that can solve the problem in fruitful ways. The diagram below is a modified version of something I saw presented by Mark Clancy at this year’s RSA conference.
It assumes an attacker motivated by money. It depicts the profitability of an attack against a target firm (vertical) where the target has put in place different levels of controls to prevent the attack (horizontal). The green horizontal line represents gross income from the attack (a breach that nets salable data). The orange line represents costs to the attacker in overcoming the controls in place at the target firm. The blue line represents the attacker’s net income (gross income minus costs).
On the left, the target firm has put in place few effectual controls. Overcoming these feeble controls presents little cost to the attacker (but not zero). At some point, the firm starts putting in place controls that change the balance. In Mr. Clancy’s version, the point of putting controls in place was to make the attack unprofitable. My only contribution to his graph is shaping the curves using the Pareto principle – much of the benefit to be had comes from the first controls put in place.
But as I reflected on this design, I realized that economically-motivated attackers can still obtain something from a target that’s expending its budget but never realizing perfection. My version of that chart treats perfection as impossible to reach, because, quite simply, I’ve been working in technology organizations for over twenty years and have witnessed every kind of result but perfection.
And that’s when it dawned on me that for small organizations with limited budgets, the fight isn’t about reaching perfection at all. The goal is to use resources to protect the firm by making it just difficult and just expensive enough to breach that the attacker moves on to easier prey. Like the hiker who escapes the bear by being faster than the other hikers, a small firm earns its cyber security by being incrementally more secure than the pack. Which, as is shown in source after source after source, should be attainable. Especially with so many sources effectively saying the same things when it comes to becoming incrementally more secure.
In this version of the first diagram, I’ve labeled two profit profiles: A – profit against a firm with poor controls; and B – an arbitrary point at which the attacker achieves only 20% of the profits of point A.
I’ve also labeled the two points along the “net profit” curve: the “out-running the hikers” point; and the “out-running the bear” point. You can see that the vertical difference (net profitability) is not great. These points also appear on the graph below.
Here the vertical difference (cost of achievement) is immeasurable. What I’m trying to show with these two graphs is that by focusing on out-running the hikers rather than the bear, I’m attempting to escape the cybercriminal by encouraging them to find other small enterprises upon which to feed. This strategy is borne out of inescapable economics, but it also recognizes that I was only ever going to achieve so much within the confines of the budget I have; best be realistic about my goals.
As for the other small enterprises, those hikers passing through the digestive track of the bear? If we all were champion sprinters, I might very well be in trouble again. But the bears have been faster for decades now, and until something changes drastically I’m guessing that they’ll stay that way.
But I’m not immune to the desperate cries of my fellow hikers, so I’ll follow this article with some insights I’ve developed recently by blending some interesting approaches that I’ve discovered.