How to get the best ROI for investments in cyber security?

28 September 2019

During a workshop this week we had a discussion on risk management and investment in cyber security. Risk is the product of likelihood of occurrence (LoO) and severity of impact (SoI). So, to reduce the risk we can either try to reduce the SoI, or the LoO, or both.

We do risk management because we have limited resources. The big question is always: Where shall I spent my resources?  Or, where can I gain the best ROI? Shall I reduce the likelihood of occurrence or the severity of the impact? Or both?

The Cyber Kill Chain is a great model to study this.

Cyber Kill Chain - Risk Management - Cost

Cyber Kill Chain – Risk Management – Cost

We can reduce the likelihood of occurrence starting during the delivery phase up to the command & control phase. Once the attacker crosses the red line the LoO is 100 %.

The severity of impact can be reduced starting at the midst / end of the exploitation phase. WannaCry, for example, started the encryption immediately during installation of the malware and contacted in parallel its command & control server. Once the attacker crosses the red line, the impact and thus the costs for recovery are high.

The big problem with reducing the likelihood of occurrence is that we have in the best case only some seconds to minutes until the attacker crosses the red line. For efficient use of this time we need to invest in preventive or proactive means.

Cyber security awareness training, for example, is a very efficient preventive measure to reduce the LoO during the delivery and exploitation phase, because the exploitation of about 35% (Data NIST NVD, CVSS V3, UI:R) of vulnerabilities published in 2018 requires user interaction. Priority patching is another preventive measure with can stop an attacker early.

Backup and emergency recovery are great means to reduce the severity of impact. But the latest attack on Norsk Hydro makes clear that, even with the best crisis management, the recovery of some thousand systems from scratch takes some time.

When used in context with the existing security controls, the Cyber Kill Chain provides support in setting priorities in cyber security investment. The Mitre ATT@CK framework, which is based on the Cyber Kill Chain, brings the required methodology in the planning process. Give it a try.

Have a great weekend.