© 2017 Scott Borg scott.borg@usccu.us

Making the Business Case for Cyber Security

Scott BorgDirector and Chief EconomistU.S. Cyber Consequences Unit

© 2017 Scott Borg scott.borg@usccu.us

2

What Senior Management Hears All-Too-Often from

Cyber-Security Professionals

• Technical explanations they don’t understand

• Frightening scenarios they don’t entirely believe

• Cyber-security “risk metrics” that are bogus or irrelevant

• Implicit promises the security professionals can’t keep

© 2017 Scott Borg scott.borg@usccu.us

3

Putting Relations with Senior Management on a Proper

Footing

• Establish reasonable expectations: there will be losses due to cyber

attacks

• Make the discussion about how to keep losses from cyber attacks to

an acceptable, cost-effective minimum

• Understand that all business success is judged relative to

expectations: sales campaigns, product launches, CEO’s, stock value

• Recognize that the only purpose of cyber security is to reduce

business risk

© 2017 Scott Borg scott.borg@usccu.us

4

Things to Understand about the BusinessWillingness-

to-Pay

Opportunity

Cost

Outputs to

Customers

Inputs from

Suppliers

• What the business does to create value

• Where the business creates the most value

(where its competitive advantage lies)

• What specific business activities the various

information systems support

• How time-sensitive the specific business

activities are

• Where the business could be caused the

greatest liabilities or damage

© 2017 Scott Borg scott.borg@usccu.us

5

Opportunity

Cost

Willingness-

to-Pay

Inputs from

Suppliers

Outputs to

CustomersWillingness-

to-Pay

Opportunity

Cost

Outputs to

Customers

Inputs from

Suppliers

What a Business

Loss Actually

Means

© 2017 Scott Borg scott.borg@usccu.us

6

THREAT

Attackers

Motives

Targets

Capabilities

VULNERABILITIES

2 3 4 5

Fin

d

Pe

ne

trate

Co

-op

t

Co

nc

ea

l

Ma

ke

Irr

ev.

1

CONSEQUENCE

Effects

Substitutes

Duration

Dependencies

Risk = Threat x Consequence x Vulnerability = Annualized Expected Loss

Nature of Threatened Cyber Attack

Likelihood of Serious

Attempts (%)

Potential Magnitude of Loss ($)

Degree of Vulnerability with a Given Policy (%)

Expected Loss with a Given

Policy ($)

1)

2)

3)

4)

%

%

%

%

$

$

$

$

%

%

%

%

$

$

$

$

Understanding Cyber Risk

© 2017 Scott Borg scott.borg@usccu.us

7

THE COMPREHENSIVE VULNERABILITY GRID

Find Penetrate Co-opt ConcealMake

Irreversible

Hardware

Software

Networks

Automation

Users

Suppliers

Understanding Cyber Defense

The Key Defensive

Strategy:

Increase the cost

to attackers

of the cyber attacks

where the risk is

greatest!

© 2017 Scott Borg scott.borg@usccu.us

8

For more information,

invitations to masterclasses,

or permission to use this

material, please contact:

Scott Borg

U.S. Cyber Consequences

Unit

scott.borg@usccu.us