Measure value-at-risk due to cybercrime
Looking at the bigger organizational picture
Accurate estimates of value-at-risk due to cyber-crime are hard to come by, because they are not based on data. Does this mean that all quantifying and modeling is useless? No, says Michel van Eeten, full professor at Delft University of Technology and member of the Dutch Cyber Security Council. He was one of the speakers of the value of cyber risk quantification event 2016. Just don’t get hung up on numbers. And take secondary impact into account. Especially productivity losses.
Guest blog by Michel van Eeten (TU Delft) - 5 december 2016
Quantifying and modeling
The problem with current estimates is that they are not empirically based and only affect their initial assumption. Quantifying and modeling per se is not the problem, overarching numbers are. In some area we can make estimates quite precisely. Take consumer losses. You can survey what incidents there are and what actual losses have been suffered. Daunting, but doable. But regarding losses in intellectual property, there is simply no data available. So there’s no basis for expert judgment here. Even if you know all the facts about the breach, you don’t know what the exact damage is. This in itself is fine as a conclusion: see the hiatus and accept it. Trouble starts when you try to compensate this hiatus with made-up stuff – because that’s just what these estimates are made of.
Once you let go of the desire to have an overarching number, you can deal with each value area in an appropriate way. Some areas allow for a quantitative approach, while others only for a qualitative one, which could be quite informative too. Companies tend to myopically look at the direct damage after a security breach; the out-of-pocket losses. But these costs aren’t nearly as high as the costs of security measures, both preventive and ‘curative’, and of the productivity losses caused by those security measures.
What can companies and government organizations undertake to improve their risk-assessment? Two things basically. First, develop a mix of quantitative and qualitative information. The main pitfall here is getting sucked into the data-trap. It’s a bit like the drunk guy who returns home at night and cannot find his key. He has no clue where he’s lost it, but looks for it near a lamp post because that’s where the light is. So think about where the actual impacts are, and if you can’t quantify them, don’t lose track of them.
The other thing is: treat your secondary impact as very important. Productivity losses are on the top of that list. Very few organizations really reflect on productivity impact. That’s because security officials have no operational obligations. They have no productivity performance indicators that they are accountable for. That is why these two worlds – security and operations – are completely disconnected. For example, look at password quality. Passwords are subjected to many rules. They have to have so many capitals, numbers, minimum length etcetera, to make them supposedly more secure. Many of these rules do not even lead to more secure passwords. Moreover, the main impact of all these rules is productivity losses, because people spend more time on creating complicated passwords, and entering them, and getting it wrong, and waiting for password reset procedures. We’re talking about seconds here, but you do it so often and so do all of your colleagues. This adds up to a substantial amount of man hours per month. But Security is only concerned with: is a twelve character password more safe than an eight character password, all other things being equal? And the answer is yes. But other things are not equal.
What's the total impact of a data breach
The next question is: will these security measures generate enough security benefit to justify them? And then the answer is often no. Very few attacks on passwords are so called brute force attacks (where one tries to guess the password). But brute force is the only type of attack that you are protected against with these password policies. Against all other attacks, that are much more prevalent, you are not protected. Not at all. So these measures offer very marginal security gains – if any – and cause a lot of productivity loss. I would say they’re irrational.
Rationality here would mean looking at the bigger organizational picture. What’s the total impact of a data breach, the investments in security measures and time spent on them included? The people who put these measures in place should be aware of their impact on the overall operational profit. They should take a broader view.
The value of cyber risk quantification event 2016
Michel van Eeten was one of the speakers at the cyber risk quantification event of Deloitte. This event was created to inspire discussion on the purpose and potential of cyber risk quantification for society as a whole and help turn on the lights. Please find the presentations of the other speakers in a report of this event.