Security Energy

There are a variety of activities that you as a cyber defender could do. This leads to a bewildering number of options across price points and against different types of threats. Large organizations often have strict regulatory requirements and/or know that they have to guard against all threats but for smaller organizations it is less clear. There is risk of many things and yet only a handful keep coming back. Security Energy simplifies this process to the essence of knowing how much security you should have for the threats you will face.

What threats will you face? Cyber threats are driven by ROI and incentives just like other forms of human behavior. If there is no incentive to go after your organization, then the specific treat doesn't exist for you. The most common incentive is naturally money since it is portable and transformable for all the historic economic reasons. In the cyber real, the easiest way to monetize a breach is to use your own computers' encryption ability against you in the form of ransomware. How much could a cyber attacker get from you in such a situation? To answer this, you must step into the shoes of a cyber attacker for a moment.

Research of disclosed breaches indicates ransoms average 3-4% of the target organization annual revenue and have a "success" rate of 2-10%. Both numbers have high variance depending on source so this is a perfect opportunity to use a Fermi Estimation where swings of 2-3x are acceptable and most errors will cancel out. Fermi estimations treat everything in orders of magnitude to emphasize big differences. I.E. Whether a ransom is $1000 or $2000 has little effect on cyber capabilities, but $10,000 vs $1000 is significant.

Using the Fermi estimation, a typical individual making $100,000 per year would be subject to a $3000 ransom if attacked. Using a success rate of 3.3%, yields an expected value of $100 for each such person attacked. Since the attacker is motivated financially to get a positive ROI, they must "spend" less than $100 per target. Put another way, if the success rate is 3.3% then an average of 30 people must be targeted in order to get a single $3000 payout. This is an inverted form of a customer acquisition cost if you have a sales background.

The threat actor may not spend $100 directly, they may take some time crafting emails, writing malware or configuring infrastructure.  Influence Energy is defined as the logarithm of the total time and/or money spent on an attack against a single target. $100 is also a good order-of-magnitude approximation of 1 hour of time for someone with moderate computer skill so you can think of Influence energy in time or money.

A level 0 attacker could spend more time and/or money to increase their Influence Energy and thus chance of success but more than 2-3x increase would risk negative ROI against a $100,000 target. A ten-fold increase in capability would bring this attacker to level 1 where they would be able to go against bigger targets. This can continue to level 2, 3, and beyond but each increment has an exponential increase in cost so fewer and fewer threat actors are capable of climbing the ladder. Influence Energy level 5 would be the domain of large organizations, think state sponsored with enormous budgets and personnel going against large, hard, and valuable targets.

With Influence Energy defined, you have a quantitative band for what kinds of resources an attacker will use against an organization of a given revenue amount. Importantly, this is a finite list! Many people are convinced from security FUD that cyber attackers have endless budgets and time but unless you have something on the order of $100 billion in value to face a theoretical level 6 cyber-attack, your adversary has resources limited by what's on the chart.

Now to bring it full circle of how to be secure, you must look at what mitigations are needed for each level of influence energy. Security Energy is a measurement of people, processes, and technology that can mitigate threats at a given level of influence energy. For example, security energy level 3 is the optimized set of defensive techniques that will mitigate all attack techniques at Influence Energy level 3. This means that no matter what capability an IE3 attacker brings, it will be stopped by a defender prepared with security energy 3.

Security Energy includes time employees put in directly, technology purchased from others, and skill development through education. It can be measured by checking the organization's security posture and processes against a reference set for their organization worth and the corresponding set of influence energy capabilities.

Combining security energy levels with target revenue yields an at-a-glance risk profile and suggested spend on cyber defense. This spend is not just on cybersecurity as device lifecycle and proper IT management are also key parts of mitigating threats.

Implementing this minimal set of defense techniques still requires effort, but it can still be done in a structured method and at the end you will be secure!

Follow this blog for forthcoming updates on specific actions needed for Security Energy levels 0-2. Get in touch today if you need help understanding where you are and if you can't wait to find out what you need!