Even though I've been analyzing malware for the past 20 years, I do understand that internet security is not merely a technical problem, but also a business problem. I agree that any company's security expenditures should be seen through the prism of proper risk and return analysis. Security is, in this respect, no different than other investment choices a business must make. But over the years I've always held that most everybody systematically underestimates their risk of losses from cyber threats, skewing their analysis and security choices.
The good news is I believe I'm seeing a new wave of "business thinking" applied to security that might fix this problem, by taking into account a full range of outcomes of security incidents and breaches, instead of only considering the average or median cost of security incidents. If this happens, this could force a reevaluation by a lot of companies of their current approach to security, especially smaller and mid-market companies.
The Long Tail of Security Risk
Quantifying the cost of a specific or typical security incident is reasonably straightforward. There are many surveys and relevant anecdotes to be found, so it's easy to have a common scenario in mind when making decisions on business security. But this path fails to take into account the full range of outcomes, and especially the "long tail" of security risk, which is the part of the risk curve that contains the small probabilities of rarer but really big events, even catastrophic ones. If you cut off the full run of the probability curve and fail to take into account events which may be low probability, but have a significant (or disastrous) impact, you'll underestimate your risks, probably be inadequately protected, and your business may pay a serious price.
More "Business Thinking" On Security Needed
One source of better "business thinking" on security which promises to drive better accounting for the long tail of risk is the rise of "cyber liability" insurance, the conceptual origins of which date to the '90s, but which seems poised to go mainstream as evidenced by offerings from insurers like Lloyds of London and Allianz. I read estimates that the global cyber insurance market will experience a 7x growth spurt and be a $14 billion market in five years.
Whatever you think of the concept, if this happens and cyber insurance matures as a market, and more (and smaller and smaller) companies acquire such insurance (because they choose to or are forced to), there will definitely be a fuller accounting of the probable costs and a reckoning for many with respect to the real business risks of cyber threats.
Better Frameworks and Fuller Analysis
Another reason for optimism for fuller understanding of risk is improved models and analytical frameworks. In a November 2017 paper, Aberdeen analyst Derek Brink explicitly discusses the long tail of security risk and thoroughly incorporates it into his analysis. Brink has been writing about this sort of thing for some time and happens to teach a Harvard course on risk assessments. In the paper he applies a more complete risk methodology to the problem of phishing attacks on companies. Most notably for a paper on a security topic, he doesn't get into how and why phishing attacks work, who they target and why, or even specific anecdotes about companies affected. These are all the things I get into, as a security researcher, but, as he points out, none of these things describe or quantify risk. To properly capture risk, Brink has apparently built a computer model which uses large real-world data sets on successful attacks, and which spits out the probabilities of a full range of outcomes for hundreds of scenarios, with complete phishing risk curves broken out by industry sector.
Brink sets up his analysis by delving into why phishing is succeeding so much more than in the past, citing fundamentally that the median elapsed time for the first user to open a phishing email is less than two minutes, and gives a data-driven discourse on why security today is too slow to stop these emails in flight or detect and block new phishing URLs quickly enough, before they reach users. It follows that 80 percent of eventual phishing victims are hooked in the first hour.
$260,000 Median Loss
But the best part here is the analysis around probability and outcomes. He is then able to put very specific numbers on annualized risk and calculate ROI on incremental anti-phishing investments. His model tells us that the median annual impact of phishing attacks for a business is about $260,000 for a business with 1,000 users and a data breach of 100,000 records. And when it comes to the long tail, to pick a specific point on the curve, his model shows a 10 percent likelihood that phishing attacks will cost a company with that profile more than $10 million, and that an incremental investment in advanced email and web security reduces the potentially catastrophic long tail risk by 9.3x.