Abstract
A CISO’s primary duty is to protect their organisation’s data. The past year has seen an increase in the frequency of major cyber incidents, including evolving malware, DDoS, social engineering and supply-chain attacks. These events serve as a serious warning to organisations that cyber security investment is essential to protect their assets, regardless of their size.
Cyber security investment is generally viewed as essential to protect an organisation’s assets. If the organisation holds valuable data (for example, customer PII or sensitive commercial information), we might expect a range of controls to be put in place, from employee training and risk management strategies to network monitoring, up-to-date firewalls and breach mitigation products. The difficult question is therefore: what is the ‘right’ amount to invest to protect a given data-set? How do you know if you’re investing too much, or too little? Organisational leaders often have little to go on when determining the optimal amount to invest in cyber security, which needs to be more than an intuitive (and therefore subjective) exercise.
Two academics at the University of Maryland, Laurence Gordon and Martin Loeb, have developed an economic framework to help answer this question. They found that the optimal amount of investment should only be a’ small fraction’ of the expected monetary loss following a data breach (and estimate the optimal figure at around 37% of an expected loss). They also found that beyond a certain expected level of loss, extra investment provided increasingly limited additional protection benefits. Their model has become one of the most prominent frameworks within the economics of security investment.
Cyber security investment is generally viewed as essential to protect an organisation’s assets. If the organisation holds valuable data (for example, customer PII or sensitive commercial information), we might expect a range of controls to be put in place, from employee training and risk management strategies to network monitoring, up-to-date firewalls and breach mitigation products. The difficult question is therefore: what is the ‘right’ amount to invest to protect a given data-set? How do you know if you’re investing too much, or too little? Organisational leaders often have little to go on when determining the optimal amount to invest in cyber security, which needs to be more than an intuitive (and therefore subjective) exercise.
Two academics at the University of Maryland, Laurence Gordon and Martin Loeb, have developed an economic framework to help answer this question. They found that the optimal amount of investment should only be a’ small fraction’ of the expected monetary loss following a data breach (and estimate the optimal figure at around 37% of an expected loss). They also found that beyond a certain expected level of loss, extra investment provided increasingly limited additional protection benefits. Their model has become one of the most prominent frameworks within the economics of security investment.
Original language | English |
---|---|
Pages | 50-55 |
Number of pages | 6 |
Volume | March 2018 edition |
Specialist publication | Cyber World |
Publication status | Published - 9 Mar 2018 |