the cost of cyber [international cost estimating and analysis association - annual conference 2016]
TRANSCRIPT
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. I 0
The Cost of Cyber
Software and Information Technology Track (SI05)
International Cost Estimating &
Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA
2016 Professional Development and Training Workshop
Ann E. Hawpe I Jeffrey M. Voth June 8, 2016
FEDSIM – WMATA PHASE II (SYSTEM INTEGRATOR)
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 1
Agenda
Introduction
Discussion on cyber investment
− Analyze potential loss
− Assess probability of occurrence
− Allocate resources appropriately
Summary
Presentation Agenda
..……………….……..…………………………………………………….
.............…………………………………………..
……………………….......………….…………………..….
………………….……………………….…….
……………...………….…………………..….
…………………………………………………………………………………
2
7
10
11
12
13
AgendaIntro | Analyze | Assess | Allocate | Summary
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 2
CYBER ATTACK
1 3 5 7
2 4 6
ReconHarvesting email addresses,
conference information, etc.
DeliverDelivering weaponsized
Bundle to the victim via
email, web, usb, etc.
InstallInstalling malware
on the asset
ActAdversary
exfiltrates
data
WeaponizeCoupling exploit with
backdoor Into the
deliverable payload
ExploitExploiting vulnerability
to execute code on
a victim’s system
CommandCommand channel for
remote manipulation of
the victim’s system
Increasing cost to contain and remediate
Sequential chain of events in order to successfully complete its targeted missionSource: Gartner (2014); Authors Analysis
https://www.gartner.com/doc/2823818/addressing-cyber-kill-chain
Addressing the Cyber Kill ChainIntro | Analyze | Assess | Allocate | Summary
Introduction
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 3
19 of 24 major federal
agencies reported deficiencies in
information security controls
Inspectors general at 23 of 24agencies cited information security
as a major management challenge
Growing need to address challenges facing federal systems
Source: Government Accountability Office (2015)
http://www.gao.gov/assets/670/669810.pdf
Federal Agency ChallengesIntro | Analyze | Assess | Allocate | Summary
Introduction
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 4
Agencies are implementing new methods to counter threats
Vast majority of public sector agencies have adopted one or more risk-based
cybersecurity frameworks, and organizations are collaborating to share intelligence
Cybersecurity
priorities for
the public
sector
1. 24 / 7 monitoring of incidents
2. Enhancing cybersecurity with cloud computing
3. Making mobile devices more secure
4. Better ways to manage access
5. Compliance is key
Source: PwC (2016) http://www.pwc.com/gx/en/issues/
cyber-security/information-security-survey.html
Cybersecurity Priorities for the Public SectorIntro | Analyze | Assess | Allocate | Summary
Introduction
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 5
Cybersecurity is as important as the next missile, tank, ship, or aircraft
MISSION SYSTEMS INSTALLATIONS
TRANSPORT
Mitigating the Vulnerabilities and RisksIntro | Analyze | Assess | Allocate | Summary
Introduction
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 6
Cybersecurity is as important as the next missile, tank, ship, or aircraft
MISSION SYSTEMS INSTALLATIONS
TRANSPORT
Cybersecurity Threats Continue to Evolve Intro | Analyze | Assess | Allocate | Summary
Introduction
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 7
C0 t1 t2 t3
Initial investment $10,000,000
Annual benefit $20,000,000 $20,000,000 $20,000,000
Annual cost - 15,000,000 - 15,000,000 - 15,000,000
Net cash flow -10,000,000 5,000,000 5,000,000 5,000,000
ROI $5,000,000
Measuring the ROI for cybersecurity is challenging
Most organizations have difficulty measuring the effectiveness of cybersecurity
investments while capturing the total program cost
Return on Investment =Benefits - Cost
Cost
Economic JustificationIntro | Analyze | Assess | Allocate | Summary
Need to compare anticipated benefits and costs over time
Three-year ROI for $10M investment
Analyze I Assess I Allocate
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 8
C0 t1 t2 t3
Initial investment $10,000,000
Annual benefit $20,000,000 $20,000,000 $20,000,000
Annual cost - 15,000,000 - 15,000,000 - 15,000,000
Net cash flow -10,000,000 5,000,000 5,000,000 5,000,000
NPV - 10,000,000 (5,000,000) / (1.10)1 (5,000,000) / (1.10)2 (5,000,000) / (1.10)3
NPV - 10,000,000 4,545,455 4,132,231 3,765,574
NPV - $2,443,260
Assuming a 10% discount rate, the project has a negative NPV
Discount investments and costs over time to today’s value
Standard criteria for justifying investments on economic principles:
- Invest if the NPV > 0
Economic JustificationIntro | Analyze | Assess | Allocate | Summary
Net Present Value = PV (Benefits) – PV (Costs)
Three-year NPV for $10M investment, assuming a 10% discount rate
Analyze I Assess I Allocate
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 9
How much should be invested in cybersecurity activities?
Agencies have a finite amount of resources; answering this question involves a
resource allocation decision. Finding the optimal level of investment is key.
Economic JustificationIntro | Analyze | Assess | Allocate | Summary
Brief review of the Gordon-Loeb Model in a practical setting
1. Analyze potential loss
2. Assess probability of occurrence
3. Allocate resources appropriately
Source: Investing in Cybersecurity: Insights from the Gordon-Loeb Model
http://www.scirp.org/journal/PaperInformation.aspx?paperID=64892
Be
ne
fits
Investment
Analyze I Assess I Allocate
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 10
Estimate loss from security breach for each set of information. The inverse
becomes the value of information (categorized as high, medium, low)
Analyze Potential Loss
Economic JustificationIntro | Analyze | Assess | Allocate | Summary
Value of Information Sets (in $M) HighLow
Source: Investing in Cybersecurity: Insights from the Gordon-Loeb Model
http://www.scirp.org/journal/PaperInformation.aspx?paperID=64892Analyze
$10 $50 $90
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 11
Estimate the likelihood that an information set will be breached by examining
its vulnerability/threat to attack (categorized as high, medium, low)
Assess Probability of Occurrence
Economic JustificationIntro | Analyze | Assess | Allocate | Summary
Hig
hL
ow
Vu
lne
rabili
ty/T
hre
at (%
)
Source: Investing in Cybersecurity: Insights from the Gordon-Loeb Model
http://www.scirp.org/journal/PaperInformation.aspx?paperID=64892Assess
0.9
0.5
0.1
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 12
Create a grid with all possible combinations of the first two steps representing
the expected loss of a cybersecurity breach
Allocate Resources Appropriately
Economic JustificationIntro | Analyze | Assess | Allocate | Summary
Hig
hL
ow
Vu
lne
rabili
ty/T
hre
at (%
)
Value of Information Sets (in $M) HighLow
Source: Investing in Cybersecurity: Insights from the Gordon-Loeb Model
http://www.scirp.org/journal/PaperInformation.aspx?paperID=64892Allocate
45
25
5
9
5
1
81
45
9
0.9
0.5
0.1
$10 $50 $90
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 13
Consider cost-benefit aspects of investing additional funds on each information set
“How much will we save through the reduction of expected loss, by investing
another $1M in cybersecurity activities?”
Low Productivity: s(z, v) =𝑣
(1+𝑧)for Low Vulnerability/Threat
Medium Productivity: s(z, v) =𝑣
(1+𝑧)2for Medium Vulnerability/Threat
High Productivity: s(z, v) =𝑣
(1+𝑧)3for High Vulnerability/Threat
s(z,v) = Security breach probability function
v = Vulnerability
z = Investment in Cybersecurity
Allocate Resources Appropriately
Economic JustificationIntro | Analyze | Assess | Allocate | Summary
Source: Investing in Cybersecurity: Insights from the Gordon-Loeb Model
http://www.scirp.org/journal/PaperInformation.aspx?paperID=64892Allocate
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 14
Values >1 indicate the information sets where it may remain beneficial to make
the next $1M investment
Allocate Resources Appropriately
Economic JustificationIntro | Analyze | Assess | Allocate | Summary
Source: Investing in Cybersecurity: Insights from the Gordon-Loeb Model
http://www.scirp.org/journal/PaperInformation.aspx?paperID=64892Allocate
z = 1 z = 2
z = 3 z = 4
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 15
Focus investment in cyber activities where it will deliver the largest net benefits
Investment Amounts
Economic JustificationIntro | Analyze | Assess | Allocate | Summary
Source: Investing in Cybersecurity: Insights from the Gordon-Loeb Model
http://www.scirp.org/journal/PaperInformation.aspx?paperID=64892Allocate
Hig
hL
ow
Vu
lne
rabili
ty/T
hre
at (%
)
Value of Information Sets (in $M) HighLow
<$3M
<$4M
<$2M
<$2M
<$2M
<$1M
<$4M
>$4M
<$3M
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 16
Spend should not exceed roughly
1/3 of total expected losses from
cybersecurity breaches
Optimal amount of spending to
protect information does not
always increase with increases in
information set vulnerability
There should be an upper limit on cybersecurity spendingIntro | Analyze | Assess | Allocate | Summary
Be
ne
fits
Investment
Source: Investing in Cybersecurity: Insights from the Gordon-Loeb Model
http://www.scirp.org/journal/PaperInformation.aspx?paperID=64892
Not all investments in cybersecurity are equal
Summary
International Cost Estimating and Analysis Association (ICEAA)
Grand Hyatt I Atlanta, GA I June 8, 2016
Herren Associates, Inc. 17
Intro | Analyze | Assess | Allocate | Summary
Source: Investing in Cybersecurity: Insights from the Gordon-Loeb Model
http://www.scirp.org/journal/PaperInformation.aspx?paperID=64892
Comments/Questions
Summary
Stay Connectedlinkedin.com/company/herren-associates-inc-
Authors
Ann E. Hawpe I Senior Associate Jeffrey M. Voth I President
Office: (202) 609-7252 Office: (202) 609-8441
[email protected] [email protected]
About Herren
Founded in 1989, Herren Associates is an engineering and management consulting firm
with a proven record of maximizing the value of every taxpayer dollar. As trusted advisors
to federal executives, we partner with clients to drive operational improvements and
manage performance - maximizing efficiency and cost effectiveness.