How Security Programs Reduce Loss

Most security programs show value by either reducing the number of incident occurrences or reducing the impact of those incidents.Understanding where a program draws its value and how it fits in a defense-in-depth strategy, gives insights to where it can be maximized for optimal benefit and raise flags when expectations are mismatched with function.

Occurrence and Impact

Simply put, security incidents happen and they cause discomfort. Effective programs will either affect the number of times they occur and/or will lessen the negative impact. These aspects of Occurrence and Impact are important when we look at the complexities of measuring security value in the real world. It is a basic first step, but this type of framing establishes boundaries and clarifies expectations.

Once understood, it may be possible to measure the effectiveness to a level which determines general value and applicability. It can paint an important piece of the picture showing how the collection of security programs provides coverage to the landscape of attacks. Additionally, the big picture can identify inefficient duplications of security services.

Do all security programs manifest value in this way? No. Some efforts are tailored to meet regulatory, ethical, or emotional needs. For those types of initiatives, this general framework has limited applicability to measure value.

Intersection of Defense-in-Depth

The diagram below is an overlay of the Occurrence/Impact domains with the Defense-in-Depth categories as they intersect a typical attack lifecycle.Mapping security capabilities, tools, and services will show coverage and gaps for different types of attacks.

How Security Programs Reduce Losses from Cyber Attacks1.jpg

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.