Should you spend a million to protect a penny?
Should you spend a million to protect a penny?
Seems absurd and yet it happens daily. People spend money that doesn't increase cost for the cybercriminals.
Human nature deals with incentives and beliefs. If you believe there is a way to spend $100 and get $1000, you will every time.
In reality, a 10x ROI would come with risk of loss. Risk management comes in here and attempts to look at how likely and how impactful different losses would be and thus how much should be spent to avoid them.
Organizations implementing risk management always want to ensure the amount spent on a mitigation are not be more than the expected loss. For cases like natural disasters, this can be predicted reasonably well because there is a good handle on the types of events that might happen and what impact they would have.
These costs can be estimated and the organization can decide how much to spend on mitigations like storm shutters or different materials. The types of mitigations are well-understood and residual risk can be transferred to an insurance carrier who will cover if everything else gets by.
With all of these pieces in place, the org is protected from natural disasters.
Now, how much applies to cybersecurity?
The organization similarly conducts risk assessments and benchmarks to understand what they should prevent against. They may also have industry-specific requirements that compel certain controls.
All of these come with cost. Cost to hire employees to manage, cost to license, cost to deploy. Through the risk management approach, these can be matched up to threats and any residual risk transferred in the form of cyber insurance.
The trick with cybersecurity is that new techniques are discovered daily. The complexity and ever-changing nature of information systems contrasts with natural threats which have low odds that rain starts suddenly flowing up from the ground or actively seeks out new ways into a building. There is massive incentive for actors to look for novel techniques with the ever-increasing amount of value in the digital world.
This leads to a tendency in the security world to be risk averse towards low-likelihood, high impact scenarios -- "Attackers could do <x>!". Security vendors have a clear incentive to do this because more fear of high sophistication attacks means more customers. Cyber professionals have an incentive to drive this because showing that you are the most clever at finding new offensive or defensive techniques leads to accolades and conference speaking engagements.
A better approach is to look at what value your business would bring and what threats are willing to go after this. This form of incentive-based risk management looks at what the cybercriminals are motivated by and then determines the best mitigation techniques that avoid spending a million to protect a penny.