Do you know how much you should spend on cybersecurity? It’s such a simple question, yet the answer is terribly elusive. By the end of this series I hope to have some answers. Specifically, my goal is answering the following questions:
- How much should we spend on cybersecurity?
- What should we spend the cybersecurity dollars on?
Based on various analyst firm’s research, companies spend about 5% of their revenue on IT and 5% of that on cybersecurity. To put this in perspective, this means small companies typically spend about $125K per year on cybersecurity; midsized companies spend about $1.25M; large companies spend about $12.5M; and, very large companies spend about $50M annually on cybersecurity. This is a conservative spending view, especially given companies like JP Morgan/Chase plan to spend $500 hundred million this year.
Independent of any justification, we also know that this spending is going up. For example, accounting firm BDO USA LLP, surveyed 100 company CFOs. Two-thirds said they’ve increased cybersecurity spending in the past 12 months.
I’ve got two fundamental concerns. First, just because companies are spending this money it doesn’t mean they should spend this money. And, second, even if we can justify spending the money, on what should we spend it on? Yes, these are loaded questions because should carries great judgement and bias. In a later post I’ll get back to should and put it in the perspective of risk. But, for now, let’s assume should means there is a clear justification for spending the money.
So what’s the justification? My experience is most cybersecurity spending justification is part economic, part fear-based, and part peer pressure. The fear and peer pressure components certainly garner the most attention in the media: it’s highly speculative, varies from one company to the next and there are no clear right or wrong positions. However, to stay focused I’m sidestepping these factors and targeting the economic component of the cybersecurity spending justification equation.
Seeking Economic Model: Cybersecurity ROI, Cost Avoidance or Something Else
In a recent Lockheed Martin sponsored survey by Ponemon, 70 percent of IT/security professionals believe ROI is important when selecting security technologies. Ponemon takes an interesting approach to cybersecurity ROI. In its 2015 IBM sponsored Cost of Data Breach report, companies face an average of $833,800 annually in data breach costs. As Ponemon states
“If forgone costs are the same as realized revenue (which is to say, ‘a penny saved is a penny earned’), then whatever you spend toward avoiding that $833,800 cost is an investment. So if you implement a security program, you should divide $833,800 by the total cost of the program and express the result as a percentage. I warn you. You could be in for a shock. A program costing $10,000, for example, results in a return on investment of 8,338 percent. How often do you encounter an opportunity with a cybersecurity ROI of 8,338 percent?”
This approach has great merit. If I spend $10K to avert $833,800 in incident response then I’m getting a very good return on my investment. However, this isn’t really a cybersecurity ROI as much as a non-spend or a cost avoidance model.
The closest thing to a cybersecurity ROI model I’ve seen is dubbed security enablement by some vendors and analyst firms. It goes something like this: If I spend $1M on multi-factor authentication and it allows me to deliver online investment advice to high net worth investors, I can increase the company revenue by $10M. On the surface this appears to answer my second question (what we should spend our money on). Unfortunately, it’s extremely rare to directly link a revenue increase to one security investment. Plus, what about all the meat and potatoes security controls that can’t be linked to any revenue impact?
I’m finding a real cybersecurity ROI model to be elusive and to underscore this point, the same 70% of the respondents in Ponemon’s survey state it’s difficult to accurately calculate the ROI of any given security solution. I’m starting to wonder if the search for a cybersecurity ROI might be a Red Herring and I should focus on cost avoidance to answer my questions. We’ll see.
A Cost Avoidance Model
The best cost avoidance model I’ve seen is the Booz Allen Cyber ROI model (Yes, I know ROI is in the title!). The model’s theme is incident avoidance. For example, Booz references a different Ponemon report’s (2014 cost of cyber crime) calculation that cyber crime costs companies on average $12.7M annually. Booz makes the case that blocking the cyber crime in the first place has clear financial benefits. Agreed.
Booz states “Many aspects of cyber investment financial value are the same as those for any traditional investment.. The differentiating factor, however, is that cyber investment value is based on three key cost avoidance components:
- Cost to fix
- Opportunity cost
- Equity loss”
Booz goes on to state “the downstream impacts from opportunity costs and equity losses can account for as much as 25 percent of the true total cost of a successful attack.”
Their cyber cost avoidance model has a lot more to it than I can give justice to in this post and I urge all to read the white paper. My primary take away from the model is the following:
Attack costs (fix, opportunity, equity) X successful attack probability X attack frequency = expected loss value
This is a good equation that is applicable to my quest. As I’ll discuss in the future there is a related, but even better equation in the Open Group’s Factor Analysis for Information Risk (FAIR).
I’ve Eaten My Meat, Now Can I Have My Pudding?
Does the Booz model answer my questions? Unfortunately, not. Though I really like aspects of the model, I see some challenges with it. For example, Booz calls it a ROI model but it’s really a cost avoidance model. This is a pretty minor point. My greater concern is relying on equity loss and opportunity costs is highly problematic since research indicates most companies experience only a temporary equity hit after an incident and it’s very tough to discern lost income from delayed income: how many people delayed their purchase until the website was back up.1 Finally, the model doesn’t have the granularity I’m looking for to help determine not just whether or not we should spend money, but what to spend the money on. Still, please review the model since it lays out an excellent five-step framework of which I’m only focusing on step 3: Quantify Value.
I still need to answer my simple questions and cost avoidance gets me closer to answers, but not close enough. In my next post I’ll discuss the work of Dr.Lawrence Gordon and Dr. Marty Loeb at the University of Maryland’s Robert H. Smith School of Business. Linking their cybersecurity spending model to a cost avoidance model may help get the answers I seek. I hope you will seek the answers with me. In the meantime, please comment so we can get the discussion going.
1Gordon, L.A., M.P. Loeb, and L. Zhou. 2011. “The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs?” Journal of Computer Security