It assumes an attacker motivated by money. It depicts the profitability of an attack against a target firm (vertical) where the target has put in place different levels of controls to prevent the attack (horizontal). The green horizontal line represents gross income from the attack (a breach that nets salable data). The orange line represents costs to the attacker in overcoming the controls in place at the target firm. The blue line represents the attacker’s net income (gross income minus costs).
On the left, the target firm has put in place few effectual controls. Overcoming these feeble controls presents little cost to the attacker (but not zero). At some point, the firm starts putting in place controls that change the balance. In Mr. Clancy’s version, the point of putting controls in place was to make the attack unprofitable. My only contribution to his graph is shaping the curves using the Pareto principle – much of the benefit to be had comes from the first controls put in place.
But as I reflected on this design, I realized that economically-motivated attackers can still obtain something from a target that’s expending its budget but never realizing perfection. My version of that chart treats perfection as impossible to reach, because, quite simply, I’ve been working in technology organizations for over twenty years and have witnessed every kind of result but perfection.
And that’s when it dawned on me that for small organizations with limited budgets, the fight isn’t about reaching perfection at all. The goal is to use resources to protect the firm by making it just difficult and just expensive enough to breach that the attacker moves on to easier prey. Like the hiker who escapes the bear by being faster than the other hikers, a small firm earns its cyber security by being incrementally more secure than the pack. Which, as is shown in source after source after source, should be attainable. Especially with so many sources effectively saying the same things when it comes to becoming incrementally more secure.
In this version of the first diagram, I’ve labeled two profit profiles: A – profit against a firm with poor controls; and B – an arbitrary point at which the attacker achieves only 20% of the profits of point A.
I’ve also labeled the two points along the “net profit” curve: the “out-running the hikers” point; and the “out-running the bear” point. You can see that the vertical difference (net profitability) is not great. These points also appear on the graph below.
Here the vertical difference (cost of achievement) is immeasurable. What I’m trying to show with these two graphs is that by focusing on out-running the hikers rather than the bear, I’m attempting to escape the cybercriminal by encouraging them to find other small enterprises upon which to feed. This strategy is borne out of inescapable economics, but it also recognizes that I was only ever going to achieve so much within the confines of the budget I have; best be realistic about my goals.
As for the other small enterprises, those hikers passing through the digestive track of the bear? If we all were champion sprinters, I might very well be in trouble again. But the bears have been faster for decades now, and until something changes drastically I’m guessing that they’ll stay that way.
But I’m not immune to the desperate cries of my fellow hikers, so I’ll follow this article with some insights I’ve developed recently by blending some interesting approaches that I’ve discovered.