Cybersecurity Risk: A Technology Problem Requiring an Economic Solution

By Lawrence A. Gordon, EY Professor of Managerial Accounting and Information Assurance

Republished with permission from Dataquest Magazine

Cybersecurity refers to the protection of information that is transmitted via any computer network, including the internet. The risk of harmful cybersecurity failures due to cyber-attacks is what most refer to as cybersecurity risk (or simply cyber risk). Unfortunately, the number of successful cyber-attacks on organizations is increasing at an alarming rate. Phishing, social engineering, denial-of-service, and ransomware are among the many cyber threats confronting organizations in today’s interconnected digital world. As a result, cybersecurity risk is a critical problem confronting senior executives and boards of directors in large publicly traded corporations, as well as in small and medium size firms.

Technology Alone Doesn’t Have the Bite

Cyber risk is also a major concern to senior administrators in government agencies and departments. The increasing number and magnitude of successful cyber-attacks has also resulted in cybersecurity risk becoming a national priority among politicians throughout the world. In the U.S., for example, the last four Presidents have argued that the economic and national security of the country is dependent on a secure cyberspace. As pointed out by President Biden during Cybersecurity Awareness month in 2021, “Cyber threats can affect every American, every business regardless of size, and every community.” Of course, the same is true for all countries throughout the world.

Discussions by computer scientists and computer engineers concerning ways to manage cybersecurity risk usually focus on considering various technology-related defenses that an organization can put in place to mitigate cyber risk. These defenses include, but are not limited to, such items as encryption of data, intrusion prevention and detection systems, access controls, firewalls, antimalware software, network security, multi factor authentication, and end-point security. However, achieving 100% cybersecurity is not a realistic goal from either a technical perspective or an economic perspective. In fact, some level of cyber risk will always be present.

The Missing Tooth—Economics

Cyber breach recovery plans and cybersecurity training programs for employees are also topics that are commonly covered in initial discussions concerning cyber risk management by computer scientists and computer engineers. The role that economics plays in an organization’s strategy for managing its cybersecurity risk is frequently considered only as an afterthought. Such an approach is fundamentally flawed! Organizations need to consider economic issues during their initial discussions concerning technology-based approaches toward managing cyber risk. Indeed, when we look at the subject with the reasoning explained ahead, we can easily surmise that the cybersecurity risk quagmire ultimately requires an economic solution.

Opportunity Cost—The Cavities That Annoy Here

Organizations do not have infinite resources. In fact, a fundamental principle of economics is the concept of allocating scarce resources to competing activities. A corollary to this principle is that the allocation of scarce resources to an activity should consider the notion of opportunity cost, where opportunity cost refers to the foregone benefits from allocating resources to the next best alternative. The combination of the above basic economic principle and its corollary means that decisions regarding the appropriate way to manage cybersecurity risk requires organizations to address the following fundamental question: How much should our organization spend on activities directed at mitigating cybersecurity risk? It’s not that simple. But it’s not that complicated too. Answering the above question necessitates a comparison of the expected costs of cybersecurity related activities to the expected benefits derived from such activities. In other words, organizations need to compare the costs associated with spending on cybersecurity-related activities that reduce cyber risk to the resulting benefits derived from such expenditures. The basic economic principle (let’s go back to some staple economics terms) that needs to be followed is that the marginal costs associated with reducing cyber risk should not exceed the resulting marginal benefits.

Ultimately—Cut Your Teeth Deep Into It

There is no silver bullet for deriving the amount an organization should spend on cybersecurity related activities to mitigate its cyber risk. The above notwithstanding, organizations need a rational economic framework for making decisions concerning the amount to be spent on mitigating cyber risk. The Gordon-Loeb Model (GL Model) provides such an economic framework. (The Gordon-Loeb Model was originally published in the article by L. A. Gordon and Martin P. Loeb, in ACM Transactions on Information and System Security (2002), entitled “The Economics of Information Security Investments.”) Grounded in mathematics, the model is easy to use and makes only a few basic, and realistic, assumptions. The first assumption of the GL Model is that there is a positive probability (p) somewhere between zero and one (i.e., 0<p<1) that a firm will be the victim of a successful cyber-attack. Thus, the model assumes that achieving 100% cybersecurity is not possible.

The second assumption of the GL Model is that firms can reduce the expected probability of becoming a victim of a successful cyber-attack by investing more resources into cybersecurity-related activities. Consequently, the benefits from investing in cybersecurity activities are derived primarily from the cost savings resulting from a lower expected loss, where the expected loss is equal to the probability of being a victim of a successful cyberattack multiplied by the value of the information being protected. The third basic assumption of the GL Model is that the benefits derived from investing more into cybersecurity will increase at a decreasing rate. This latter assumption is based on the core economic principle that there are diminishing marginal returns to investments, including investments in cybersecurity-related activities.

The objective of the GL Model is to find the point where the marginal benefits from a firm’s additional cybersecurity investments are equal to the marginal costs associated with such investments. At that point, the firm is investing the optimal amount in cybersecurity-related activities. The GL Model provides a framework that helps organizations find an economically sound level of investments in cybersecurity activities that considers both the costs and benefits of those activities, explicitly taking into consideration the cyber risk confronting organizations. The framework underlying the GL Model requires an estimate of three key components. These components are: (1) the value of the firm’s information set that is being protected, (2) the initial probability (i.e., risk) that the firm is vulnerable to a successful cyber-attack, and (3) the way additional investments in cybersecurity will reduce the risk of a successful cybersecurity attack. The value of the information set being protected represents the potential maximum loss resulting from a cyberattack, whereas the probability of a successful attack is derived from the combination of the information set’s vulnerability and threat regarding an attack.

Ivory Towers That Can Bite Back

The way additional cybersecurity investments reduce the risk of a successful attack is what Gordon and Loeb call the security breach function. In essence, the security breach function describes how additional investments in cybersecurity reduce the ex-ante probability that a firm will be the victim of a successful future cyber-attack. By reducing the probability that a firm will be the victim of a successful cyber-attack, the firm is reducing its cybersecurity risk. If a firm were to segment its information into subsets of information, a practice that is strongly recommended, estimates of the above three items would be required for each information segment.

Deriving the desired estimates of the above three components of the GL Model is as much an art as it is a science. However, once the estimates of the three key components underlying the GL Model’s framework are determined, the next step is to multiply the value of the firm’s information set by the initial probability that the firm will be the victim of a successful cyber-attack. This step results in the expected loss due to a successful cyberattack on the firm’s information set and is what many organizations consider to be the monetary value of their cybersecurity risk. The expected loss from a successful cyber-attack also represents the maximum potential cost savings (i.e., benefits) that can be derived from strong cybersecurity.

The next step in applying the GL Model is to derive the level of spending on cybersecurity-related activities. This step requires deriving the level where the marginal benefits derived from cybersecurity related activities is equal to the marginal costs of the spending to protect the information set. This last step involves considering the way investments in cybersecurity will reduce the risk of a successful cyber-attack.

In the final analysis, the GL Model is best viewed as a complement to, not as a substitute for, sound business judgement regarding decisions concerning the right amount to invest in cybersecurity-related activities. Although not a panacea, use of the model can go a long way toward improving an organization’s ability to manage its cybersecurity risk.

Just think of what bleeds more when an attack happens- technology or business! The answer makes it immediately clear that technology alone cannot bite the bullet on its own. It would need economics — molars will be empowered with incisors. Alone, they may wobble. Together, they work wonders! And create that perfect smile!