The real costs of cyber attacks are difficult to understand. The impacts of cybersecurity are terribly challenging to measure, which creates significant problems for organizations seeking to optimize their risk posture. To properly prioritize security investments, it is crucial to understand the overall risk of loss.
Although managing security is complex, the principles of determining value are relatively straightforward. Every organization, small to large, wants to avoid more loss than the amount of money they spend on security. If for example, a thief is stealing $10 from you and protection from the theft is $20, then you are left with an economic imbalance where security costs more than the risk of loss. This is obviously not desirable. If however, the thief is stealing $100 and the protection still only costs $20, then there is a clear economic benefit net-gain of $80. The same principle scales to even the most complex organization regardless of the type of loss, whether it be downtime, competitiveness, reputation, or loss of assets.
Without knowing the overall impacts, value calculations are near impossible which leaves the Return-on-Investment (ROI) a vague assumption at best. Possessing a better picture of the costs and the risk of loss is key to understanding the value of investments which reduce such unpleasant ambiguity.
The bad news. Cybersecurity is complex and the damages and opportunity costs are difficult to quantify. So we do what we can, with what we have, and attempt to apply a common-sense filter as a sanity check. But a lack of proficiency leads to inaccuracy which can result in unfavorable security investments. For example, in early 2015 the FBI estimated the impact of the CryptoWall ransomware by adding up all the complaints submitted to the Internet Crime Complaint Center (IC3). The complaints and reported losses for CryptoWall totaled over $18 million. At the time, it seemed reasonable, even sizeable, given it was a single piece of malware causing so much damage.
The experts, myself included, were wrong. We lacked comprehensive data and similar examples for comparison. In this case, the methodology was not comprehensive and everyone knew it. Not every person being extorted would report their woes to IC3. We all expected an underestimate based upon this model but could not do the mental math necessary to generate a more accurate figure. So we held to the data we had. In reality, the estimate was more than an order of magnitude off.
Just a few months later, the Cyber Threat Alliance released a CryptoWall report where they tracked the actual money flowing from the malware to BitCoin wallets, the payment mechanism used by the criminals for victims to pay the ransom. One benefit of cryptocurrencies is the transactions are public, even though the identities of the parties are obscured. Their analysis shows, thanks to the public nature of the blockchain transactions, that CryptoWall was earning $325 million.
That is a huge difference! From believing $18m in damages to having superior data showing $325m in paid ransoms is a great improvement. It provides a much clearer portrait of the problem and gives people better data to decide the value of security measures. But we must still recognize this is not the full story. Although the Cyber Threat Alliance did a great job of showing the ill-gotten-gains of the ransomware campaign, it still falls short of the even larger realization of loss and impact. It does not capture the harms to those who chose not to pay, the amount of time and frustration every infected person experienced, costs to recover from the attacks and prevent similar future malware infections, and the loss of business, trust, and productivity due to the operational impairments. There is far more pieces to the puzzle if we are to comprehend the loss in totality.
It all comes back to value. If a clearer understanding of the total loss and impact were consistently available, would people and organizations invest in more effective security? Perhaps, but maybe not. Regardless, it would give everyone better information to make informed choices. Managing risk is about making good decisions and finding the optimal level of security. Absent a realistic picture of the overall detriments, the community cannot hope to properly weigh their options in a logical way. The shortfalls in measuring Crytpowall is just one droplet in a sea of examples where analysts struggle to find the hidden costs of cyber attacks. Multiply these accounting misperceptions across the entire cyber ecosystem and we find ourselves standing on a huge iceberg, scurrying about only worried about what is on the surface.
In cybersecurity we must question what we believe. It is almost a certainty we are severely underestimating the overall impact and costs of cyber attacks at a macro scale. If this is true, then our response and investment are also insufficient at the same scale. The industry must uncover the true hidden costs in order for the right level of security and strategic direction to be justified. Only then will cybersecurity achieve effectiveness and sustainability.
Intel IT Network: Collection of My Previous Posts