Information Security Today Home

New Books

Android Malware and Analysis by Ken Dunham, Shane Hartman, Manu Quintans, Jose Andre Morales, and Tim Strazzere; ISBN 978-1-4822-5219-4
Biometric Technology: Authentication, Biocryptography, and Cloud-Based Architecture by Ravi Das; ISBN 978-1-4665-9245-2
Practical Cryptography: Algorithms and Implementations Using C++ edited by Saiful Azad and Al-Sakib Khan Pathan: ISBN 978-1-4822-2889-2
Multilevel Security for Relational Databases by Osama S. Faragallah, El-Sayed M. El-Rabaie, Fathi E. Abd El-Samie, Ahmed I. Sallam, and Hala S. El-SayedI ISBN 978-1-4822-0539-8
Ethical Hacking and Penetration Testing Guide by Rafay Baloch; ISBN 9781482231618
The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture by Kerry Ann Anderson; ISBN 9781482220070

Cyber Economics

By Paul Nguyen, President of CSG Invotas

The economics of cyber threats are simple: cyber attacks are easy to organize and cheap to enact. Any computer anywhere can become the front line of an attack, which is not only difficult to defend against but leads to the need for constant vigilance and flexible defensive moves-both of which are rather more costly. CIOs and CISOs need to reverse these economics and change the game in their favor by driving down the cost to defend and increasing the cost to attack.

Unfortunately, the economics behind cyber threats overwhelmingly favor attackers. For one thing, the investment needed to launch an attack is low and the yield from a successful attack is high, but attackers enjoy other benefits as well. Hacktivists gain widespread visibility and notoriety, criminals earn large profits by selling private information, and attackers of nation states target leading financial institutions as a means to gather valuable IP and make political headlines.

At the same time, the cost to defend against attacks continues to skyrocket. Pricey new defensive tools enter the market every day to help organizations keep ahead of attackers; at the same time, those organizations try to hire and train more security professionals in hopes it will make their cyber defenses more effective. In traditional economics, this type of scenario plays out as the law of diminishing returns. Simply put, the law states that as the number of employees (i.e., security staff) increases, at some point the marginal productivity of each additional employee will be less than the previous one. The more employees we add, the less efficient the model becomes. The same holds true for ongoing additions of security tools: more and more tools provide diminishing returns on our investment over time. These factors lead to increased complexity and climbing inefficiencies, which are counter-productive in a climate that favors ever more sophisticated and efficient attackers.

Other hefty price tags may be attached to insurance premiums and litigation fees to defend against reputational and legal harm post-attack or in the third-party audits required to maintain compliance. There's the high cost of personnel too-attracting and retaining skilled security staff is increasingly competitive and expensive. Today, U.S. companies spend an average of $10 million per year to clean up after a cyber attack. Costs to businesses have risen an average of 78% and the time to recover from a breach has increased 130% over the past four years, and that doesn't include the cost of legal or brand damage.

Increasingly, such threats apply to individuals as well. Data sets rich with identity information are the new gold-they are important enough to be included in estate and divorce documents and certainly important enough to steal. Stealing just one piece of information can open a thread that unravels a person's financial, medical, social, political, and professional identity and enables criminals to hold digital identities for ransom or wipe out valuable online assets such as music or pictures in seconds.

To reverse these troubling trends and shift the cost burden of cyber threats to the bad actors that perpetrate them, security executives need to find creative ways to penalize attackers and slow down attacks. They need to reduce distractions, network noise, and unplanned gaps in security coverage; improve performance by reducing inefficiencies affiliated with skills gaps, training, or experience; and boost quality by decreasing the number of errors (human or system).The goal is not to try to make systems and networks impenetrable-time and time again black hats outmaneuver even the most sophisticated systems-instead, the focus should be on making the attack too risky and too costly to enact in the first place.

Boosting the speed at which organizations respond to attacks can help. Faster responses to attacks mean less danger to sensitive data, systems, and networks; they also preserve skilled security staff time to focus on more complex remediation and analysis-based tasks. We've seen what happens when defenses are overwhelmed and attackers have free rein in a network, whether from malware, phishing attacks, or other threat types, so organizations must strengthen security to the point that penetrating a network simply costs too much in money or time to pursue. At the same time, organizations must decrease the cost to defend by layering security fences in new technology deployments, by adopting automated threat response capabilities to optimize staff and response time, and by shifting the state of the network in real time to spoof attackers and force them to revise attack scenarios. Adopting such measures will enable organizations to fight back and shift the economic tide in their favor.

Subscribe to Information Security Today

Share This Article

Bookmark and Share

© Copyright 2014 Auerbach Publications