Cybersecurity: More money for less peace of mind

• RAND model projects 38% increase in cybersecurity costs over next 10yrs
• Heuristic model empowers companies to make smart security investments

CHIEF information security officers (CISOs) often face a chaotic and confusing landscape when deciding the most efficient and cost-effective way to manage the risks posed by security to their business.
 
More troubling, new research indicates that many companies are spending increasing amounts on cybersecurity tools, but are not confident that these investments are making their infrastructure secure, according to Juniper Networks.
 
The networking company, in partnership with the RAND Corporation, a nonprofit institution that helps improve policy and decision-making through research and analysis, has published a report into the economic challenges, trade-offs and demands facing companies as they protect themselves against increasingly complex security threats.
 
In a statement, Juniper Networks said it believes this dynamic is due to a lack of ‘solid calculus’ that considers both the cost of security tools and resources, and the potential cost of a breach, which by definition is neither certain nor predictable.
 
CISOs need a way to better understand the variables that most influence the cost of managing cybersecurity risk holistically, and the different decisions they can make to protect their organisations, the company said.
 
To address this need, RAND developed a heuristic economic model that maps the major factors and decisions that influence the cost of cyber-risk to organisations, which is discussed in The Defender’s Dilemma: Charting a Course Toward Cybersecurity, the second report of a two-part series.
 
With RAND’s model projecting the cost to businesses in managing cybersecurity risk set to increase 38% over the next 10 years, Juniper believes that the time is now for organisations to start managing security spending and risk management as a discrete business function.
 
Just as there are established models that help organisations understand and achieve their strategic marketing or sales goals and objectives, security teams need a way to help better understand the economics of managing security risk, the range of variables implicated, and what investments should be made to more efficiently protect infrastructures, the company said.
 
“The security industry has struggled to understand the dynamics that influence the true cost of security risks to business,” said Juniper CISO Sherry Ryan (pic).
 
“Through Juniper Networks’ work with the RAND Corporation, we hope to bring new perspectives and insights to this continuous challenge.
 
“What’s clear is that in order for organisations to turn the table on attackers, they need to orient their thinking and investments toward managing risks in addition to threats,” she added.
 
The five factors
 
Juniper said there are five major factors confirmed by RAND’s model that companies should strongly consider as they evolve their security postures:
 
1) Many security tools have a half-life and lose value
 
Attackers are constantly developing countermeasures to new detection systems such as sandboxing or antivirus technologies. This dynamic ultimately drives up the amount companies must spend on security technologies to maintain the same level of protection.
 
RAND’s model projects that over 10 years the effectiveness of these technologies that face countermeasures falls by 65%.
 
Companies must carefully evaluate the new tools they invest in, choosing those not prone to countermeasures, and focus on improving security management, automation and policy enforcement across the corporate network.
 
2) The IoT is at a crossroads
 
According to RAND, the Internet of Things (IoT) will have an impact on overall security costs; however, it’s unclear if it will be positive or negative.
 
If security technologies and management are properly applied to the IoT, companies could actually see savings in the long run.
 
On the other hand, if companies struggle to apply security controls effectively, RAND’s model suggests that the introduction of IoT would increase the losses that companies experience due to cyber-attacks by 30% over the course of 10 years.
 
3) Investing in the workforce leads to fewer costs over time
 
Companies can benefit greatly in making people-centric security investments, such as technologies that help automate security management and processes, advanced security training for employees, and hiring additional security staff.
 
According to the RAND model, organisations with very high levels of security diligence are able to curb the costs of managing security risk by 19% in the first year and 28% by the 10th year when compared to organisations with very low diligence.
 
4) There is no one-size-fits-all
 
Companies are likely not taking the optimal economic strategy with their investments, which should vary greatly from company to company based on their size, type of information that exists, and the diligence of security staff.
 
Specifically, RAND found small to medium-sized businesses benefit most from basic tools and policies, while large organisations and high-value targets require investments in a full range of policies and tools given the likelihood that they will be targeted by an advanced attack.
 
5) Eliminating software vulnerabilities leads to major cost reductions
 
RAND’s model found that one of the most significant security issues that increases the cost to businesses is the number of vulnerabilities in the software and applications being used.
 
The model found that if the frequency of software vulnerabilities could be reduced by half, the overall cost of cybersecurity to companies would decrease by 25%.
 
Interpretative tool

To bring the model to life, Juniper Networks is releasing an interactive interpretation of RAND’s economic model.
 
This new tool provides businesses with general guidance on where the model suggests they should invest their time and resources across the major areas that they can control in order to reduce the potential costs, the company said.
 
The Defender’s Dilemma: Charting a Course Toward Cybersecurity is authored by RAND Corporation security experts Martin Libicki, Lillian Ablon and Timothy Webb, and is based on in-depth interviews conducted between October 2013 and August 2014 with CISOs on the current and emerging threat landscape.
 
This research builds on the first report of the two-part Juniper-sponsored series from RAND, Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar, which examined the economic drivers for attackers and the sophisticated underground black market they’ve created to scale their efforts.
 
Related Stories:
 
IT leaders on the harsh reality of cyber-protection
 
Trial by fire: Adopting the resilience mindset
 
Size doesn’t matter in cybersecurity: RSA research

No 1 security vulnerability is careless or unaware employees: EY survey
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.