Here’s why having a well-mapped approach, clear frameworks and investment models can equip organizations for surviving confidently in a world punctuated with attacks, breaches, and bad actors
When I think of cybersecurity, I am reminded of a weaver, stitching together some fine tapestry on a spinning loom. Our digital world is like a tapestry with an invisible thread. Alas, that thread can be pulled apart instantly–without any warning, and as many times as one wants. Only to be painstakingly woven back again.
The irony is that–in our world, we leave this thread for the villains to exploit. Don’t we know that when an attacker pulls this thread it might need much more than a simple darning needle to put our digital fabric back in shape again?
Whether we like it or not, cybersecurity is a fundamental component of everything we do in today’s interconnected computer-based digital world. It is the thread that keeps the Internet-connected world from collapsing into chaos. Indeed, cybersecurity is a necessary component of a nation’s economic, national, and political security. Cybersecurity is also fundamental to social media. Technological advances, such as Artificial Intelligence, blockchain, and data analytics also depend on secure computer-based networks. Unfortunately, modern interconnected computer-based networks were not developed with cybersecurity in mind. Consequently, organizations in both the public and private sectors of an economy need to address the following critical question: What is the best way to manage cybersecurity risk?
Once a significant breach does occur, the invisible becomes visible. At that point, the importance of cybersecurity is no longer invisible and the focus shifts to damage control.
Answering the above question ultimately requires an organization to derive the appropriate amount to invest in cybersecurity-related activities, as well as determine the best way to allocate cyber-related spending. Since 100% security is unrealistic, especially from an economics perspective, answering the above question also requires a strategy for responding to cyber breaches, including ransomware attacks.
No News is Good News—Albeit!
When computer-based information systems are running smoothly, cybersecurity is invisible. Sales transactions take place without a problem, vendors are paid in a timely fashion, operational activities are seamless, and data privacy is taken for granted. In the vernacular of computer scientists, the CIA of cybersecurity (i.e., confidentiality of information, data integrity, and availability of information to those authorized to receive the information) is occurring without any glitches. In other words, cyber breaches are either non-existent or of a nonsignificant nature. However, in today’s world of cyber hackers, the above scenario does not describe reality. Indeed, significant cyber breaches of one kind or another are so common today that most would argue that the question is not if a significant cyber breach will occur, but rather when will such a cyber breach occur? Furthermore, once a significant breach does occur, the invisible becomes visible. At that point, the importance of cybersecurity is no longer invisible and the focus shifts to damage control!
Fighting in a Dark Room
Tackling the cybersecurity conundrum is not for the faint-hearted. The key is to have a cybersecurity risk management plan. The cybersecurity risk management plan is best thought of as involving a process or set of steps. The first step in this process is to identify the potential threats and vulnerabilities to your organization’s computer-based information systems. The combination of the potential threats and vulnerabilities to an information system can be thought of as the probability that a cyber breach will occur. The second step in the cybersecurity risk management process is to consider the potential loss from a cyber breach. In other words, if a cyber breach were to occur, how much would the organization lose due to the breach. The probability that a cyber breach will occur—multiplied by the potential loss from a breach—provides an organization with an estimate of the expected loss due to a cyber breach. It is this expected loss that most think of when discussing the cyber risk. Thus, the key to reducing cyber risk is the idea of reducing an organization’s computer-based networks’ probability of a cyber-attack.
The third step in addressing the cybersecurity conundrum is to determine if there is some way to reduce the cyber risk by investing more money into cybersecurity-related activities. In other words, you need to ask whether additional investments in cybersecurity activities will reduce the organization’s probability of a cyber-attack. This step involves determining if additional investments in cybersecurity (e.g., in firewalls, intrusion detection and prevention systems, data segmentation, employee training, outsourcing a part of the organization’s cybersecurity-related activities, etc.) can reduce the risk associated with a cyber breach and, if so, what are the cost-benefit aspects of these additional investments. At the same time, organizations need to determine if spending funds to transfer the cyber risk (e.g., via cybersecurity insurance) is a more efficient use of additional spending.
Cybersecurity Risk Management–Wield it Strategically
Waiting for a cyber breach to occur and reacting to the breach is an all-too-often approach to cyber breaches. This reactive approach is not a strategic approach to managing cybersecurity risk. What is needed is to have a strategic plan for addressing cyber breaches in place prior to experiencing a significant cyber breach. The plan should be based on a sound framework for carrying out the steps described above. One such framework is provided by the Gordon-Loeb (GL) Model for cybersecurity investments. This Model—which considers the value of the information being protected (i.e., the potential loss from a cyber breach), the probability of a cyber breach occurring, and the productivity of investments in cybersecurity—provides a widely accepted general framework for answering the fundamental question concerning the best way to manage cybersecurity risk.
Ever since the third industrial revolution, the term cyber has become a household term. Today, it is hard for one to think of cyber without simultaneously thinking of cybersecurity.
The GL model provides a logical framework for developing an organization’s strategic approach to cybersecurity risk management. The model can go a long way toward facilitating an organization’s ability to cope with what is usually thought of as a daunting problem. Indeed, although not a panacea, the model can give an organization a ballpark estimate of the optimal amount to invest in cybersecurity activities.
The End is Never Near
The first industrial revolution was characterized by moving from labor-driven to machine-driven production methods. The second industrial revolution involved the use of basic communication systems, as well as the development of transportation systems (e.g., automobiles and railroads). The third industrial revolution consisted of the development of computers and the digital interconnections among communication systems. We are now in, what many calls, the fourth industrial revolution, which includes interconnections among physical and virtual systems. Ever since the third industrial revolution, the term cyber has become a household term. Today, it is hard for one to think of cyber without simultaneously thinking of cybersecurity. Although largely invisible, once a major cyber breach occurs the lack of cybersecurity quickly becomes visible. The need for cybersecurity is an ongoing process with the bright light at the end of the tunnel out of sight. Nevertheless, we still need to move through the tunnel to avoid catastrophic crashes–just like the weaver must avoid pulling the thread.
The author is an Alumni Professor of Managerial Accounting and Information Assurance – Robert H. Smith School of Business, University of Maryland (UMD), USA; Affiliate Professor in UMD Institute for Advanced Computer Studies.
By Lawrence A. Gordon