Security breaches cost companies around the world hundreds of millions of dollars. Over and above the ransom and regulatory fines, breaches disrupt operations and cause reputational damage.
To mitigate the risk of security breaches, companies spend fortunes on hiring the right IT personnel nd buying the latest and best cyber security solutions.
The question is, are they spending too much, or not enough?
According to a recent report by Nucleus Research, Are you overspending or underspending on cyber security, cyber security budgets shouldn’t be adjusted based on fear or perceived threats, but should rather be treated in much the same way as in the insurance industry, by weighing the risks and determining the valueof security.
The Nucleus research determined that an organisation worth $20 million with an average loss of $2 million from a cyber attack should spend no more than $1 013 167 if it’s thought there is at least a 50% chance of an attack.
If it’s thought there is a 20% 10% chance, then the business should spend no more than $408 427 and $204 740, respectively.
But how do you determine how at risk you are?
“Even if an organisation has a high risk for a cyber attack, it isn’t efficient to invest in cyber security for more than what the organisation is worth,” says Nucleus.
By considering investments in cyber security as an insurance problem, Nucleus says organisations can calculate the optimal amount to spend.
The formula
Suppose a medium-sized organisation is worth $20 million, and the direct and hidden cost of a cyber attack is $2 million, then the organisation is worth $18 million. For simplicity, let’s assume there is a 50/50 chance that it will suffer a breach.
“The last measure needed is how much utility the organisation gains depending on its worth. Every organisation values utility differently, or how much it is willing to incur risk. A fair assessment of a risk-averse organisation would be the square root of the organisation’s worth,” the company explains.
So the formula in this case would be as follows:
Expected utility = Probability of no attack (utility of no attack) + probability of attack (utility after attack)
Expected utility = 0.5√(20 000 000) + 0.5√(18 000 000) = 4,357.39
Given these values, Nucleus says the expected utility or value of the business is approximately 4 000. “To determine how much an organisation is worth with cyber security, place the expected utility into the utility function and solve. In this example, the organisation is worth almost $19 million when accounting for the risk of an attack.”
The last step in determining how much a business should pay is subtracting its original worth from its worth with cyber security included, says Nucleus Research , noting that these calculations rely on the assumption that the cyber defence is 100% effective in defending the company.
The final value of $1 013 167.02 is the maximum this organisation should spend on all cyber security, including IT personnel time, software subscriptions and software, says Nucleus.
Impeding growth
Improperly investing in cyber security has the potential to impede growth, because financial resources are limited, meaning any funds allocated to cyber security, external consulting, or legal fees from cyber crime restrict the company from revenue-increasing investments.
“If there are gaps in the defences, there will be a false sense of security, leading employees to engage in vulnerable activities. Cyber security can also reduce the productivity of an organisation. Software intended to reduce risky behaviour can tighten access controls and reduce the performance of devices. In the short term, security breaches are very expensive.”
However, long-term, breaches are unlikely to cause recurring expenses. When a business invests in security software, it’s essentially investing in an insurance policy, and by weighing the expected loss and accounting for the breach's impact over time, an organisation can determine the optimal amount it should spend.
“Instead of allocating cyber security spending based on fear and preparing for the worst-case scenario, which might not happen, organisations should assess their level of risk and determine the actual value of the security. This concept will reduce the probability of overspending while still maintaining a responsible defence around networks and devices,” the company advises.
Share