making the business case for cyber security...cyber-security professionals • technical...
TRANSCRIPT
© 2017 Scott Borg [email protected]
Making the Business Case for Cyber Security
Scott BorgDirector and Chief EconomistU.S. Cyber Consequences Unit
© 2017 Scott Borg [email protected]
2
What Senior Management Hears All-Too-Often from
Cyber-Security Professionals
• Technical explanations they don’t understand
• Frightening scenarios they don’t entirely believe
• Cyber-security “risk metrics” that are bogus or irrelevant
• Implicit promises the security professionals can’t keep
© 2017 Scott Borg [email protected]
3
Putting Relations with Senior Management on a Proper
Footing
• Establish reasonable expectations: there will be losses due to cyber
attacks
• Make the discussion about how to keep losses from cyber attacks to
an acceptable, cost-effective minimum
• Understand that all business success is judged relative to
expectations: sales campaigns, product launches, CEO’s, stock value
• Recognize that the only purpose of cyber security is to reduce
business risk
© 2017 Scott Borg [email protected]
4
Things to Understand about the BusinessWillingness-
to-Pay
Opportunity
Cost
Outputs to
Customers
Inputs from
Suppliers
• What the business does to create value
• Where the business creates the most value
(where its competitive advantage lies)
• What specific business activities the various
information systems support
• How time-sensitive the specific business
activities are
• Where the business could be caused the
greatest liabilities or damage
© 2017 Scott Borg [email protected]
5
Opportunity
Cost
Willingness-
to-Pay
Inputs from
Suppliers
Outputs to
CustomersWillingness-
to-Pay
Opportunity
Cost
Outputs to
Customers
Inputs from
Suppliers
What a Business
Loss Actually
Means
© 2017 Scott Borg [email protected]
6
THREAT
Attackers
Motives
Targets
Capabilities
VULNERABILITIES
2 3 4 5
Fin
d
Pe
ne
trate
Co
-op
t
Co
nc
ea
l
Ma
ke
Irr
ev.
1
CONSEQUENCE
Effects
Substitutes
Duration
Dependencies
Risk = Threat x Consequence x Vulnerability = Annualized Expected Loss
Nature of Threatened Cyber Attack
Likelihood of Serious
Attempts (%)
Potential Magnitude of Loss ($)
Degree of Vulnerability with a Given Policy (%)
Expected Loss with a Given
Policy ($)
1)
2)
3)
4)
%
%
%
%
$
$
$
$
%
%
%
%
$
$
$
$
Understanding Cyber Risk
© 2017 Scott Borg [email protected]
7
THE COMPREHENSIVE VULNERABILITY GRID
Find Penetrate Co-opt ConcealMake
Irreversible
Hardware
Software
Networks
Automation
Users
Suppliers
Understanding Cyber Defense
The Key Defensive
Strategy:
Increase the cost
to attackers
of the cyber attacks
where the risk is
greatest!
© 2017 Scott Borg [email protected]
8
For more information,
invitations to masterclasses,
or permission to use this
material, please contact:
Scott Borg
U.S. Cyber Consequences
Unit