You need all 32 teeth to chew what comes your way—specially when it’s a hard nut. So why are we limiting our tools when it comes to the jawbreaker called cyber risk? Ever thought of putting Economics to work here?
Cybersecurity refers to the protection of information that is transmitted via any computer network, including the Internet. The risk of harmful cybersecurity failures due to cyber-attacks is what most refer to as cybersecurity risk (or simply cyber risk). Unfortunately, the number of successful cyber-attacks on organizations are increasing at an alarming rate. Phishing, social engineering, denial-of-service, and ransomware are among the many cyber threats confronting organizations in today’s interconnected digital world. As a result, cybersecurity risk is a critical problem confronting senior executives and Boards of Directors in large publicly traded corporations, as well as in small and medium size firms.
Technology Alone – Doesn’t Have the Bite
Cyber risk is also a major concern to senior administrators in government agencies and departments. The increasing number and magnitude of successful cyber-attacks has also resulted in cybersecurity risk becoming a national priority among politicians throughout the world. In the US, for example, the last four Presidents have all argued that the economic and national security of the country is dependent on a secure cyberspace. As pointed out by President Joe Biden during Cybersecurity Awareness month in 2021, “Cyber threats can affect every American, every business regardless of size, and every community.” Of course, the same is true for all countries throughout the world.
Discussions by computer scientists and computer engineers concerning ways to manage cybersecurity risk usually focus on considering various technology-related defenses that an organization can put in place to mitigate cyber risk. These defenses include, but are not limited to, such items as encryption of data, intrusion prevention and detection systems, access controls, firewalls, antimalware software, network security, multi-factor authentication, and end-point security. However, achieving 100% cybersecurity is not a realistic goal from either a technical perspective or an economic perspective. In fact, some level of cyber risk will always be present.
The Missing Tooth—Economics
Cyber breach recovery plans and cybersecurity training programs for employees are also topics that are commonly covered in initial discussions concerning cyber risk management by computer scientists and computer engineers. The role that economics plays in an organization’s strategy for managing its cybersecurity risk is frequently considered only as an after-thought. Such an approach is fundamentally flawed! Organizations need to consider economic issues during their initial discussions concerning technology-based approaches toward managing cyber risk. Indeed, when we look at the subject with the reasoning explained ahead – we can easily surmise that the cybersecurity risk quagmire ultimately requires an economic solution.
Opportunity Cost—The Cavities
That Annoy Here
Organizations do not have infinite resources. In fact, a fundamental principle of economics is the concept of allocating scarce resources to competing activities. A corollary to this principle is that the allocation of scarce resources to an activity should consider the notion of opportunity cost, where opportunity cost refers to the foregone benefits from allocating resources to the next best alternative. The combination of the above basic economic principle and its corollary means that decisions regarding the appropriate way to manage cybersecurity risk requires organizations to address the following fundamental question: How much should our organization spend on activities directed at mitigating cybersecurity risk? It’s not that simple. But it’s not that complicated too.
Answering the above question necessitates a comparison of the expected costs of cybersecurity-related activities to the expected benefits derived from such activities. In other words, organizations need to compare the costs associated with spending on cybersecurity-related activities that reduce cyber risk to the resulting benefits derived from such expenditures. The basic economic principle (let’s go back to some staple Economics terms) that needs to be followed is that the marginal costs associated with reducing cyber risk should not exceed the resulting marginal benefits.
Ultimately—Cut your teeth deep into it
There is no silver bullet for deriving the amount an organization should spend on cybersecurity-related activities to mitigate its cyber risk. The above notwithstanding, organizations need a rational economic framework for making decisions concerning the amount to be spent on mitigating cyber risk. The Gordon-Loeb Model (GL Model) provides such an economic framework. (The Gordon-Loeb Model was originally published in the article by L. A. Gordon and Martin P. Loeb, in ACM Transactions on Information and System Security (2002), entitled “The Economics of Information Security Investments.”) Grounded in mathematics, the model is easy to use and makes only a few basic, and realistic, assumptions.
The first assumption of the GL Model is that there is a positive probability, p, somewhere between zero and one (i.e., 0
The objective of the GL Model is to find the point where the marginal benefits from a firm’s additional cybersecurity investments are equal to the marginal costs associated with such investments. At that point, the firm is investing the optimal amount in cybersecurity-related activities. The GL Model provides a framework that helps organizations find an economically sound level of investments in cybersecurity activities that considers both the costs and benefits of those activities, explicitly taking into consideration the cyber risk confronting organizations.
The framework underlying the GL Model requires an estimate of three key components. These components are: (1) the value of the firm’s information set that is being protected, (2) the initial probability (i.e., risk) that the firm is vulnerable to a successful cyber-attack, and (3) the way additional investments in cybersecurity will reduce the risk of a successful cybersecurity attack. The value of the information set being protected represents the potential maximum loss resulting from a cyber-attack, whereas the probability of a successful attack is derived from the combination of the information set’s vulnerability and threat regarding an attack.
Ivory Towers – That Can Bite Back
The way additional cybersecurity investments reduce the risk of a successful attack is what Gordon and Loeb call the security breach function. In essence, the security breach function describes how additional investments in cybersecurity reduce the ex-ante probability that a firm will be the victim of a successful future cyber-attack. By reducing the probability that a firm will be the victim of a successful cyber-attack, the firm is reducing its cybersecurity risk. If a firm were to segment its information into sub-sets of information, a practice that is strongly recommended, estimates of the above three items would be required for each information segment.
Deriving the desired estimates of the above three components of the GL Model is as much an art as it is a science. However, once the estimates of the three key components underlying the GL Model’s framework are determined, the next step is to multiply the value of the firm’s information set by the initial probability that the firm will be the victim of a successful cyber-attack. This step results in the expected loss due to a successful cyber-attack on the firm’s information set and is what many organizations consider to be the monetary value of their cybersecurity risk. The expected loss from a successful cyber-attack also represents the maximum potential cost savings (i.e., benefits) that can be derived from strong cybersecurity.
The next step in applying the GL Model is to derive the level of spending on cybersecurity-related activities. This step requires deriving the level where the marginal benefits derived from cybersecurity-related activities is equal to the marginal costs of the spending to protect the information set. This last step involves considering the way investments in cybersecurity will reduce the risk of a successful cyber-attack.
In the final analysis, the GL Model is best viewed as a complement to, not as a substitute for, sound business judgement regarding decisions concerning the right amount to invest in cybersecurity-related activities. Although not a panacea, use of the model can go a long way toward improving an organization’s ability to manage its cybersecurity risk.
Just think of what bleeds more when an attack happens- technology or business! The answer makes it immediately clear that technology alone cannot bite the bullet on its own. It would need Economics – Molars will be empowered with Incisors. Alone, they may wobble. Together, they work wonders! And create that perfect smile!
Dr. Lawrence Gordon is the EY Professor of Managerial Accounting and Information Assurance at the University of Maryland’s Robert H. Smith School of Business. He is also the coauthor of the Gordon-Loeb Model for deriving the optimal amount to invest in cybersecurity.
By Lawrence A. Gordon