Optimizing Security Investment Through a Business Case (Part 2)
Optimizing security investment? Every organization needs at some point to determine whether a particular security investment (or expense) is justified by a business case. As discussed in Part 1 of our security business case series, even quantifying expected losses can be challenging. Fortunately, in the case of personal data breach losses, we have reputable industry statistics to work with. But how the business case turns out is still all about which assumptions forecasters make.
Constructing Business Case Parameters
Recently, we had to develop a business case to support funding our recommendations for a DLP Solution Roadmap for a higher education institution client. We decided it was imperative to be transparent about our assumptions. And, if possible, take some of the subjectivity out of the business case. Our starting point was the set of parameters listed in last week’s post.
|Parameter #||Parameter Value||Description|
|Ponemon # for average U.S. per record breach remediation cost|
|Ponemon # for average education industry per record cost|
|Ponemon # for identity records lost in average breach in 2015|
|4||22%||Ponemon # for organization’s breach probability over 24 months|
|5||2||Two 24 month periods over life of the security investment|
|6||33%||Increased breach likelihood due to institution’s many security gaps|
|7||50,000||Institution’s approximate current student record count|
|8||100,000||Recent student record count|
|9||500,000||Maximum historical student record count|
Let’s look more closely at the parameters. The first 4 are pure industry numbers. The others are specific to this business case and this client. Parameter 6 represents a more pessimistic assumption that could be made for the client’s breach likelihood. Parameters 7, 8, and 9 reflect increasingly pessimistic possibilities for the size of a possible breach: 50,000 is the approximate number of currently active students, 100,000 covers all students enrolled within the last 10 or so years, and 500,000 covers all other students whose PII may be retained for historical reasons.
Points 1 through 6 on the figure above graph a series of increasingly pessimistic assumptions on the expected loss. Point 1 = $1.5 M = $154 X 22,000 records X 22% probability; Point 6= $19M = $300 X 100,000 records X 33% probability; and so on.
How Much Security Investment do Expected Losses Justify?
To analyze the recommended security investment’s hypothetical cost-effectiveness against various expected loss scenarios, Security Architect Partners applied the Gordon-Loeb model for cybersecurity investments. This model from Professors Gordon and Loeb at the University of Maryland compares probability-weighted loss estimates against proposed security spending with a twist. The maximum desirable security spending for any estimated loss is discounted to only 37% of the loss.
The reason for discounting spend is twofold: 1) the security investment should always be less than the expected loss because it cannot provide 100% guarantee of protection, and 2) the more a company spends, the lower the marginal protection benefits. The 37% parameter has been developed using some complex mathematics and statistics that attempt to quantify what already “feels” intuitively correct.
Running the Numbers
With this background in Ponemon Institute’s copious statistical data and a model for cybersecurity investment, we ran the client’s numbers as follows.
Step 1: Estimated the value of student and staff personal information (e.g. social security number (SSN), FERPA and HIPAA data) in terms of breach loss expectancy with the parameters above to reflect pessimistic and optimistic assumptions on the size of a breach, and the per-record remediation cost.
Step 2: Estimated the probability that the client will experience a cybersecurity breach of the information under both pessimistic and optimistic assumptions on probability.
Step 3: Multiplied the expected loss values from Step 1 against the breach probabilities from Step 2 to derive eight probability-weighted expected loss values, 6 of which we display as points on the graph.
Step 4: Discounted the probability-weighted expected loss points to 37% of their original value to reflect Gordon-Loeb’s thesis that the optimal level of security spending to prevent an expected loss should be less than 37% of the loss.
Security Architects Partners’ analysis showed that under one of the optimistic scenarios of breach loss, the recommended 4-year security investment exceeded the optimum level, thus appearing too high. Under a second optimistic scenario the recommended spending level was approximately equal to the optimal number. Under two more relatively optimistic and the four pessimistic assumptions, the recommended security spending of $1.3 million over a four year period proved highly cost-effective in terms of the Gordon-Loeb model.
The business case we constructed is based on well-respected industry numbers and methodologies. It inputs a range of assumptions and is transparent about those assumptions. Our client can see that the measures we recommend, while somewhat of a stretch compared to previous budgets and practices, have a strong basis in data, and we believe that many of them will be implemented.
We can make a particularly strong case for Phase 1: Using a DLP data discovery tool to find many untracked repositories of sensitive data and do a study to determine how excess copies can be removed and historical student records’ SSNs archived to remove the worst case $100,000,000 loss scenario of an off-the-chart 500,000 record breach…
No one can know whether the future for the client will bear out the optimistic assumptions, or the pessimistic ones. However, the analysis described above can either support committing to the full course of the DLP Solution Roadmap, or just (initially) addressing phase 1. In that conclusion, we again see of the wisdom of the Gordon-Loeb model. Just as every journey begins with a single step, the initial security investments may be the most important.
This higher education institution client’s business case had one simplifying factor: The client is at the beginning of creating a security program, and its DLP Solution Roadmap encompasses a full set of people, process and technology controls. In other cases, we’ve had to leverage the Factor Analysis of Information Risk (FAIR) methodology to get to grips with analyzing and optimizing different mixes of control alternatives on top of complex existing security frameworks. But that’s another post for another day.