Modern businesses have whether by intent or practice always held the concept of “return” as a motivating objective and a raison d’etre. Capitalism functions via the judicious allocation of “capital” as an investment base to generate returns. Returns increase the value and number of assets which can be converted to more capital and the return cycle repeats itself. Judicious selection of investments implies that returns may not always be there for the reaping and that there is always uncertainty. This uncertainty is given form and substance in the concept of “risk”. Risk can be expressed in a spectrum/continuity of uncertainty associated with realization of return. Decisions on where and when to invest (to generate returns) are the domain of “strategy”. Strategy addresses the business activities of where to invest, what risk is acceptable, what return is required, what is the time frame for return, how to minimize risk, and how to ensure sustainable returns.
Returns are a result of the asset/investment performance. Accountants have provided us a number of metrics for assessing performance of an asset/investment base. Return on Investment, Return on Equity, Return on Assets and others depending on the nature of the investment base and the risk it is under.
How does all this relate to cyber security? All cyber attackers, be they government sponsored organizations (GSO) to social activists attack assets. GSOs are trying to damage, steal, deny access to intellectual property, monetary value, societal institutions, etc. Social Activists are committed to raising awareness of some social issue by destroying reputation, defacing web sites, deny access to media facilities, etc. All these targets of attacks are assets to an organization or to an individual. These assets can be tangible such as money, equipment, and buildings or intangible such as intellectual property, business processes, information and data. Each asset class requires an investment of capital and each asset class when properly employed generates revenue and returns for an organization. The ubiquity and pervasiveness of computers, networks and digitization has “informationalized” our world and assets can exist in many alternative forms other than a physical tangible object. Cyber attackers are keen on disrupting the world for a variety of agendas all of which result in risk to organizations.
Risk metrics for assets are complex in assigning asset value. Fixed asset metrics that seek to identify the current value of an asset on a depreciated basis are insufficient to assess cyber-attack impact and uncertainty of returns. This is because the depreciation method only looks at the replacement value of the asset and not its utility and ability to generate a return. The accumulated cost for developing a unique design of a product are for example insufficient to valuate an intellectual property asset. The investment base for development must be evaluated against a future revenue/return generating promise for the design asset. Money or other liquid assets must be seen in the context of the investments they can sponsor in new assets, man-power or products for sale and the potential return/revenue they can generate rather than just face value. Good risk analysis must consider the impact on returns so that an appropriate appetite for risk can be developed – a risk adjusted rate of return.
Many organizations that must make investment decisions look at future returns versus risk to investment base as the criteria for making the investment. In business capital is limited and new capital can be expensive so that decisions on where to invest must be made judiciously and assess the risk to capital. We see this competition for capital resources in venture capital firms, bank loan committees, product selection functions, market development choices, etc. Risk adjusted rates of return put all these different investment opportunities on and equal footing. Cyber professionals must also adopt the same principles in making decisions for where to spend cyber defense dollars, utilizing a commensurate metric, Return on Security Investment (ROSI). The challenge has always been to identify the risks and to quantify the impact of a series of compromises (theft, damage, loss of reputation, denial of service, etc.). For example the loss of access to an ATM network has several impacts. Business viability comes into question the longer the outage goes on. CIO’s, CISO, Business Line Manager and Board Members must be aware of the potential losses due to such an outage, and that loss must be qualified in terms of dollars and cents as they regard the assets of return, reputation, shareholder value and business viability/sustainability. So the loss aspect must be assessed not just on the loss value of the replacement of the asset but on the impact that the loss will have on the investment base and it’s ability to generate return.
Risk must also be understood in terms of quantification of the uncertainty of compromising events targeted towards organizations and their assets. Will I be attacked and by whom? Will the arsenal of tools that the attacker use be effective in penetrating my defenses? How much should I spend on defenses? Am I making the right decisions, spending too much, too little? Organizations gather intelligence/information about the world of attackers, attack methods, defensive devices, best practices, geo-political factors, employees, physical security, etc. to be able to process and digest this massive hurricane of information, coherently come to conclusions and apply a defensive strategy. As yet this has been an exercise in gambling rather than a discursive method.
Some of the risk metrics that must be understood in order to develop a coherent landscape are:
- The Probability of Attack of an Attacker
- The Probability of Success of an Attack Method
- The defensive power of a Defensive Control
- The increase in risk due to the specifics of a Geographic Location
- The increase in risk due to political, social and economic Events
- The size and nature of the business of the organization – Industry sector
All of these factors and their corresponding metrics can vary widely over the landscape of organizations and the attackers they face. Having a clear picture of this terrain and how it affects a specific organization’s functioning within a given time, facing a finite set of events are critical to coming up with a broad risk and threat posture. CISOs, alongside their managements, should clearly articulate the assets that are critical to an organizations success, the impact of compromise to those assets relative to their ability to generate return. Secondly, CISOs should numerically score the cyber risks to an organization by evaluating all the threats it faces in the landscape where if functions. The risk/reward equations can now be calculated to support critical decision making on cyber spend.
- What is the power of the given asset base to generate returns?
- What would be the loss to returns and to the asset base in the event of a compromise?
- How can the events leading to compromise be measured in terms of likelihood of occurrence, impact of a specific kind(s) of attacks and commensurate loss of return?
- Detailed actions to remediate deficiencies in defensive posture that are optimized relative to expenditures?
Return on investment base is a fundamental evaluation and performative tool in understanding the degree of success of a business. It is equally valuable in understanding the impact of cyber-attacks and rationalizing the entire process of defending against cyber-attacks. It establishes a set of metrics and measures that organizations can use to “benchmark” themselves against their peers or other cohort groups. And finally it gives an assurance to the board and to shareholders that the planned cyber investment is right-sized.