Placing a value on loss caused by a cyber incident can sometimes be very difficult. Placing a value on a loss that never happens can be even more difficult. Though, these values are important if you are to understand whether or not you are properly investing in the protection your business.
As a rule of thumb, you should not spend more to protect an asset than the value of that asset. It does not make sense to buy a thousand dollar safe to protect ten dollar baseball card. On the flip side, it makes complete sense to purchase that same thousand dollar safe to protect two thousand dollars’ worth of jewelry. The idea is to invest in protecting an asset only as much as it would cost to replace the asset once.
Some things are hard to place a value on, though. Like family heirlooms, your reputation and brand often carry mostly qualitative value. That is to say you may not be able to capture their true worth to your organization with a quick number. Unlike most physical assets that have a quantifiable value, such as computers, furniture, and even buildings that can easily be replaced with the right amount of money, the qualitative values of some assets are completely subjective. It is important to seriously consider the value of these types of assets to your organization.
Breaking down the threats
The first step in being able to determine the cost benefit of security controls is to understand the threats and related types of loss that your organization faces. Clearly define the unique types of loss that your organization faces such as theft of IT equipment, data loss through removable media, recovering from system damage caused by malware, and so on. Understanding the singular points of loss within your organization is a critical element for knowing how much you should invest to protect against loss.
Single loss expectancy
The single loss expectancy, or SLE, is the average cost of each single incident for a particular type of loss. For example, an organization might expect each incident of software piracy to cost an average of $500. This value represents the SLE for this type of loss. It can take a bit of work to establish an accurate SLE for some types of incidents.
Incidents such as theft can be easy to quantify since the total loss generally equals the value of the physical asset that was stolen. Incidents related to data loss or illegal use of software might be more difficult to quantify since they might also involve legal fees, government fines, potential loss of business, and etcetera. It is important to consider all factors that contribute to the total cost of loss, including the personnel costs associated with investigating incidents and rebuilding systems.
Annual rate of occurrence
The annual rate of occurrence, or ARO, in an expression of how frequently a specific type of loss is expected to occur within a give year. It is presented in decimal form so that one incident per year would have an ARO of 1 and a single incident occurring every two years would have an ARO of 0.5.
The ARO for various types of incidents can be determined from numerous sources. For cyber threats, annual reports such as the Verizon Data Breach Investigations Report or the Cisco Cybersecurity Report can be used to look at statistical frequency of certain types of events. Local law enforcement agencies can also provide criminal activity trends for your region and industry that will help you understand how frequently certain events might occur. Lastly, do not neglect your own incident history. By looking at the frequency of past events within your organization, you can fairly accurately predict how often the same types of loss will occur in the future.
Annual loss expectancy
Once the SLE and the ARO are known, the annual loss expectancy, or ALE, can easily be determined. The ALE is simply the result of multiplying the SLE with the ARO. ALE is the dollar value that the organization is expected to lose within a given year related to a specific type of event. This number is extremely useful in helping leaders understand just how much specific incidents are costing their organization and can be used to help justify acquiring countermeasures.
Figuring out the security benefit of a measure
Countermeasures normally do not completely eliminate risk. Most times, they either limit how much damage a threat might cause or reduce the frequency at which incidents occur. Both of these results can have an impact on the ALE by either modifying the SLE or the ARO. To understand the cost-benefit of a measure, you must understand what impact the measure has in protecting its asset.
Often times vendors of technological solutions, such as firewalls and anti-malware software, can provide an expected result for their product. They may claim to reduce the frequency of incidents by 40% or minimize the number of effected assets by 90%. Market research, the experiences of other organization who use the same solutions, and even your own experiences can also be used in determining the effects that various measures have. These numbers can be used to modify either the SLE or ARO for a given threat.
Calculating cost benefit
So how do you determine the cost benefit of a security measure? Once you understand the ALE for a given threat, both with and without the measure applied, it is relatively easy. It is as simple as subtracting the cost of the control from the difference between the pre-measure ALE (we’ll call this ALEpre) and the post-measure ALE (we’ll call this ALEpost). It can be represented by this simple formula: (ALEpre – ALEpost) – control cost = cost benefit.
Below is an example of a cost benefit analysis for anti-virus software. The first set of figures represents expected loss without the solution in place. The next set is the adjusted numbers with the solution in-place. Note that the anti-virus software reduced the ARO from 52 per year to only 12 per year, reducing the ALE from $26,000 to $6,000. A savings of $20,000. Since the cost to implement the anti-virus software cost the company $15,000, the cost benefit of the solution is $5,000. Also worth noting is that this measure does not effect the cost of each singular event.
Threat: Malware Countermeasure: Anti-virus software | |||||||
Before Countermeasures | After Countermeasures | ||||||
SLE pre | ARO pre | ALE pre | SLE post | ARO post | ALE post | Measure Cost | Cost Benefit |
$500 | 52 | $26,000 | $500 | 12 | $6,000 | $15,000 | $5,000 |
To explain this a little further, the difference between the pre and post-measure ALEs is the amount of money that the control is saving the company. Because controls most often have expenses associated with them, there is only truly a savings if the control offers a greater loss reduction than its own cost. Remember, the rule stated above: an organization should only spend as much to protect an asset as the value of that asset. The same principle applies here. The organization generally should not spend more to reduce loss than the value of the loss reduction.