Cybercriminals are constantly developing countermeasures to new detection systems such as sandboxing or anti-virus technologies. This dynamic ultimately drives up the amount companies must spend on security technologies to maintain the same level of protection.
According to a heuristic economic model developed by RAND Corporation, a nonprofit institution that helps improve policy and decision-making through research and analysis, the effectiveness of these technologies that face countermeasures falls by 65 percent, thereby increasing the cost of managing a cybersecurity risk by 38% in the same period.
Together with Juniper Networks, RAND unveiled new insights into the economic challenges, trade-offs and demands facing companies as they protect themselves against increasingly complex security threats.
The in-depth report by leading economic and cybersecurity experts at RAND found chief information security officers (CISOs) often face a chaotic and confusing landscape when deciding the most efficient and cost-effective way to manage the risks posed by security to their business.
Most troubling, the research indicates that many companies are spending increasing amounts on cybersecurity tools, but are not confident that these investments are making their infrastructure secure.
Juniper Networks believes this dynamic is due to a lack of solid calculus that considers both the cost of security tools and resources, and the potential cost of a breach, which by definition is neither certain nor predictable.
CISOs need a way to better understand the variables that most influence the cost of managing cybersecurity risk holistically and the different decisions they can make to protect their organizations.
With RAND’s model projecting the cost to businesses in managing cybersecurity risk set to increase 38 percent over the next 10 years, Juniper believes that the time is now for organizations to start managing security spending and risk management as a discrete business function.
IoT is at a Crossroads
According to RAND, IoT will have an impact on overall security costs; however, it’s unclear if it will be positive or negative. If security technologies and management are properly applied to IoT, companies could actually see savings in the long run.
On the other hand, if companies struggle to apply security controls effectively, RAND’s model suggests that the introduction of IoT would increase the losses that companies experience due to cyber-attacks by 30 percent over the course of 10 years.
Investing in the Workforce
Companies can benefit greatly in making people-centric security investments, such as technologies that help automate security management and processes, advanced security training for employees, and hiring additional security staff.
According to the RAND model, organizations with very high levels of security diligence are able to curb the costs of managing security risk by 19 percent in the first year and 28 percent by the tenth year when compared to organizations with very low diligence.
No One-Size-Fits-All
Companies are likely not taking the optimal economic strategy with their investments, which should vary greatly from company to company based on their size, type of information that exists and the diligence of security staff.
Specifically, RAND found small to medium-sized businesses benefit most from basic tools and policies, while large organizations and high-value targets require investments in a full range of policies and tools given the likelihood that they will be targeted by an advanced attack.
Eliminate Software Vulnerabilities
RAND’s model found that one of the most significant security issues that increases the cost to businesses is the number of vulnerabilities in the software and applications being used.
RAND’s model found that if the frequency of software vulnerabilities could be reduced by half, the overall cost of cybersecurity to companies would decrease by 25 percent.
“The security industry has struggled to understand the dynamics that influence the true cost of security risks to business,” says Sherry Ryan, chief information security officer, Juniper Networks. “What’s clear is that in order for organizations to turn the table on attackers, they need to orient their thinking and investments toward managing risks in addition to threats.”