Studying the global trends of information security, throughout the last decade, shows a continuous raise of cyberattack’s frequency, severity and impacts. In 2015, the number of detected security incidents soared 107% over the year before, according to a recent study.
New attack schemes and methods have destabilized actual prevention and detection processes, which have been proved less effective against increasingly in-depth assaults. Many organizations are completely doubtful, in addition to not having sufficient resources required to implement countermeasures against cybercriminals. Thus, it is crucial to define or redefine the main InfoSec aspects and their related responsibilities when addressing the premises of an information security architecture. That said, we will explore two main, and interrelated topics throughout this article:
- Responsibilities and duties of organizations
- Assessing information security investments
The relation between those subjects is extremely important, if not critical, in order to maintain a solid information security environment.
Responsibilities and duties of organizations
Technological mutation and evolution continue to influence the way organizations create value and sometimes in ways that may alter operating models.
Some of today’s most significant business trends, including (but not limited to) the explosion of data analytics, the transformation of business services throughout digitalization, the emergence of new FinTech products, to name a few—have expanded the use of corporate and personal data, and that’s one of the major reasons why this technological global trend is increasing risk.
In addition, many executives see over-regulation and heavy controls as a prime long-term disruptive trend in their industries. Those executives are, most of the time, accountable for corporate governance as a whole. For any enterprise respecting a strict governance model, the management and control of information security risks is an integral part of corporate governance. In practice, however, the Board explicitly delegates executive responsibilities for most governance matters to the Executive Directors, led by the Chief Executive Officer (CEO).
The Executive Directors give overall strategic direction by approving and mandating the information security principles and axioms but delegate operational responsibilities for physical and information security to the Information Security Committee (ISC) chaired by the Chief Security Officer (CSO) and/or the Chief Information Security Officer (CISO).
The Board of Directors often depend on the ISC to coordinate activities throughout the enterprise, ensuring that suitable policies are in place to support organization’s security principles and goals.
The Executive Directors demonstrate their commitment to information security by:
- A statement of support from the CEO;
- Reviewing and re-approving the principles and axioms every year;
- Approving the IT budget including a specific element set aside for information security;
- Receiving and acting appropriately on management reports concerning information security performance metrics, security incidents, investment requests etc.
The Executive Directors also rely on frequent feedback from the ISC, CISO, ISM, auditors, Risk Management, Compliance, Legal and other roles to ensure that the principles, axioms and policies are being considered and implemented within the organization. That’s the big picture when referring to an information security management practice. Dealing with the InfoSec architecture and the related compliance obligations impose direct investments, required to maintain and enhance the enterprise security posture.
Assessing Information Security Investments
As organizations strive to remain competitive in the global economy, they respond to constant pressures to cut costs through automation, which often requires deploying more information systems. While businesses become even more dependent on these systems, these systems have become vulnerable to a widening array of risks that can threaten the operations and at last, the enterprise existence. This is forcing management to take decisions about how to effectively invest in order to address information security issues/requirements, in addition to the compliance duty.
Many organization, if not the majority, must provide strong arguments when forecasting their next budget claim. But they face difficulties to accurately measure the effectiveness and the cost of their information security activities. The reason for that security is not usually an investment that provides profit but loss prevention. So what is the right amount an organization should invest in protecting information?
Security is not generally an investment that results in a profit. Security is more about loss prevention. In other terms, when you invest in security, you don’t expect benefits; you expect to reduce the risks threatening your assets. With this approach, the quantitative assessment the ROSI (Return on Security Investment) is done by calculating how much loss you have avoided thanks to your investment.
Assessing security investment involves evaluating how much potential loss could be saved by an investment. Therefore, the monetary value of the investment has to be compared with the monetary value of the risk reduction. This monetary value of risk can be estimated by a quantitative risk assessment.
Quantitative risk assessment is achieved by determining several components of a risk. As you may know, this risk is majorly calculated by the product of a potentiality and an impact. Therefore, the following notions need to be defined:
Single Loss Expectancy (SLE)
The SLE is the expected amount of money that will be lost when a threat occurs. In this approach, SLE can be considered as the total cost of an incident assuming its single occurrence.
Due to the specific nature of cyber incident, the complexity is to take into account the impact that this incident would have on information assets. For instance, a stolen laptop will not only cost the replacement of the laptop itself but will also imply productivity loss, reputation loss, IT support time and, possibly, cost of intellectual property loss.
The Single Loss Expectancy formula is expressed as: SLE = AV * EF
Detailing this conceptual breakdown of Single Loss Expectancy into Asset Value and Exposure Factor allows us to define the two terms independently. Asset Value will be influenced by sensitivity of asset, inflation, market changes, return on assets, etc., while introducing preventive measures may enable us to reduce the Exposure Factor.
Annualized Rate of Occurrence (ARO)
The ARO is a measure of the probability that an adverse event occurs over a period of reference (a year most of the time). Again, this data is an approximation and can depend on many factors: the ARO of a flood will be influenced by geographic factors, the ARO of a disk failure is linked to the operating temperature, the ARO of an adverse intrusion will depend on the sensitivity and importance of the targeted asset, etc. And, of course, the ARO is also depending on the existing security measures.
Let’s say that a web application server have been compromised 3 times overs a 30 years period. The ARO will be: (3/30) = 0.10.
Annual Loss Expectancy (ALE)
The ALE is the annual monetary loss that can be expected from a specific risk on a specific asset. It’s produced by multiplying the ARO with the SLE.
ALE = ARO * SLE
Return on Security Investment (ROSI)
The ROSI calculation combines the quantitative risk assessment and the cost of implementing security counter measures for this risk. Applied to security, a Return On Security Investment (ROSI) calculation can provide quantitative answers to essential financial questions:
- Is an organization paying too much for its security posture?
- What financial impact on productivity could a lack of security have?
- When is the security investment enough?
- Is this security product/organization beneficial?
In the end, it compares the ALE with the expected loss saving and gives a value that should reflect a monetary loss reduction. This value can be assimilated to a Mitigation Ratio (MR) that will range from 0 (no effect on ALE and on threat) to 1 (100 % effective to prevent the threat). The MR will be a subjective appreciation on which percentage of the threat, the counter measure or technical control is able to prevent/block.
ROSI is then defined as below:
For example, The Acme Corp. is considering investing in an IPS solution. Each year, Acme suffers 6 external intrusion attacks (ARO=6). The CISO estimates that each attacks cost approximately 10.000 $ in productivity (SLE=10.000). The IPS solution is expected to block 70% of the attacks (Mitigation Ratio=70%) and costs 15.000$ per year (License fees 10.000$ + 5.000$ for training, installation, maintenance etc.).
According to this ROSI calculation, this IPS solution is a cost-effective solution. As for any solution obtaining a ROSI superior to 100%. Classifying and prioritizing your security measures/controls through a ROSI approach will induce an accurate calculation of the Total Cost of Ownership related to the design, implementation, and maintenance of the related controls. TCO are one part of the equation where the subjectivity is lessen due to factual data, used to calculate the related costs.
Although ROSI is a good indicator, it results from many approximations. Some of them would be the cost of cyber security incidents as well as the annual rate of occurrence. Costs like reputation and/or customer’s loss are hardly predictable and may have disastrous impact on organizations.The businesses are constantly asked to estimate the cost of security incidents for various categories over the course of a period of reference. Unfortunately, the methods used to calculate these costs vary from business to business. Currently, the “best” actuarial data comes from efforts such as the annual survey of businesses conducted by the Computer Security Institute (CSI) and the U.S. Federal Bureau of Investigation (FBI). Also the Ponemon Institute gives good indicators related to the cost of information security breaches.
Although these data are accurate, they are only reflecting a huge study where thousands of surveys have been aggregated. Organization should preferably orient their studies from the organisation’s historical data on incidents than to rely on the study of a vendor.
Forward-leaning business leaders also are rethinking their cybersecurity practices and focusing on a nexus of innovative technologies that can reduce these risks and improve business performance. One unifying element among these technologies is the cloud computing model. The cloud is central to today’s interconnected digital ecosystem for individuals, businesses and governments. Furthermore, it is the platform that is enabling organizations of all sizes to leverage cloud-based cybersecurity tools, Big Data analytics and advanced authentication. But that will be the next BYOR article, about the pros and cons in terms of information security in the cloud.
See you in three weeks for the BYOR : “Information Security in the cloud ‘’ (Part 2).
Alexandre Pieyre, M.Sc., CISM, CEH, CCNP
Information Security Consultant
 PwC, CSO, CIO, The Global State of Information Security® Survey 2016, October 2015
ENISA, Introduction to Return on Security Investment, Helping CERTs assessing the cost of (lack of) security, [Deliverable – December 2012]
Return on Security Investment (ROSI): A Practical Quantitative Model, no date, https://www.ra.cs.uni-tuebingen.de/lehre/uebungen/ss09/introsec/ROSI-Practical_Model.pdf