A business case for cybersecurity spending

University of Maryland professors show how to conduct a security cost/benefit analysis

NIST Special Publication 800-65: Integrating IT Security into the Capital Planning...

How much should the government spend on cybersecurity? Two University of Maryland professors of accounting and information assurance know how to answer that question.

In their new book, “Managing Cybersecurity Resources: A Cost-Benefit Analysis” (McGraw-Hill, 2006), Lawrence Gordon, professor of managerial accounting and information assurance at the University of Maryland’s Robert H. Smith School of Business, and Martin Loeb, professor of accounting and information assurance, describe a rigorous process that government officials can use to make a business case for cybersecurity spending. Although specialized knowledge is necessary for putting numbers into the mathematical models that Gordon and Loeb have developed, they say such expertise is not necessary for managing finite cybersecurity resources.

Some critics accuse the authors of using voodoo economics. The critics argue that managers cannot make a business case for investments in information security in the same way they might for a new building or a new product. “And my answer is that’s not true,” Gordon said. “The numbers are much more difficult to come up with, but the process is the same.”

A cost/benefit analysis based on assumptions about the future is never going to be perfect, Gordon said. Agencies must adjust their assumptions after conducting information security audits.

“You try to come up with a rational judgment about how much to spend,” he said. “But in the end, they are only quantitative numbers that are based on a lot of guesswork. Everyone in his own organization has to figure out how to adjust them.”

-- Florence Olsen

Managing cybersecurity resources

The starting point in making the business case for cybersecurity investments is to clearly specify the objectives (or goals) of such activities. In general terms, the objective is to minimize security intrusions subject to cost constraints. However, organizations must recognize from the start that some cybersecurity breaches will occur. That is, 100 percent cybersecurity — zero security breaches — is essentially neither technically feasible nor economically rational. Of course, it is important to specify the general cybersecurity objective in more specific and operational terms. This means that cybersecurity managers need to specify the maximum likelihood of breaches that is deemed acceptable for the different classes of breaches. A derivative goal is to continually focus on reducing the maximum acceptable likelihood of breaches over time.

By approaching the cybersecurity objectives in this manner, it is possible to establish benchmarks for the maximum acceptable loss for each class of potential breach — such as breaches related to information confidentiality, integrity or availability. These benchmarks can then be compared to expected losses from cybersecurity breaches without additional security expenditures. The difference between the benchmarks and the expected cybersecurity losses without additional security expenditures represents the targeted benefits — cost savings — required from additional spending on security. In essence, these targeted benefits represent the minimum objectives of additional cybersecurity expenditures.

Identify alternatives
Once the objectives related to cybersecurity have been clearly specified, the next step is to identify different ways to achieve those objectives. In other words, this step requires a delineation of the various options available for achieving the cybersecurity objectives specified in the first step. Firewalls, access controls, intrusion-detection systems and appropriate information security personnel are just a few of the alternative means of reducing the likelihood of computer system breaches that need to be considered. For example, how many and what types of firewalls are available?

In addition, consideration should be given to the different combinations of firewalls, access control mechanisms, and/or information security personnel. The trade-off between outsourcing various parts of the organization’s cybersecurity activities or keeping them in-house also needs to be identified at this step of making the business case.

Once the various alternatives have been identified, the next step is to gather the data required to conduct a cost/benefit analysis for each alternative. This step is primarily concerned with delineating the estimates of the various costs and benefits — cost savings — associated with each alternative identified. The costs of the cybersecurity for each alternative should be based on the various combinations of cybersecurity activities — including computer networks, firewalls, access control mechanisms, intrusion-detection systems, and/or information security personnel. The benefits of each alternative could be estimated by completing a spreadsheet derived from the Cybersecurity Cost Grid. [The grid’s coordinates are data confidentiality, data availability and data integrity on one axis and direct and indirect costs on the other.] Of course, since the benefits are derived from potential cost savings, the type of cybersecurity employed will directly affect the estimate of such benefits. Thus, the cost grid would need to be completed for different combinations of cybersecurity activities.

Cost/benefit analysis
Once the various alternatives and related data have been clearly identified and gathered, the next step is to conduct the actual cost/benefit analysis and rank-order the various options based on the results of the analysis. This analysis and rank ordering can initially be done in terms of financial concerns. For example, the net present value (NPV) of the various options could be computed and the ranking could be done in terms of the NPV — highest to lowest net benefits, for example — for each alternative.

The nonfinancial information gathered should be used to modify, where appropriate, the purely financial rankings. One way to consider the nonfinancial aspects would be to assign a subjective relative weight to the financial results. For example, a scale of 1 to 7 — with 7 being the highest — could be applied to the various alternatives and multiplied by the financial results.

This step should culminate with a rank ordering of funding priorities and requests for organizational resources related to cybersecurity activities. Since cybersecurity managers are competing for scarce organizational resources, it is unrealistic to expect all cybersecurity activities with a positive NPV to be funded. Thus, a useful approach would be to attach some overall qualitative measure of security to different levels of funding. For example, at the $4 million request level, the firm’s cybersecurity might be judged to be excellent — which is not equivalent to 100 percent security — but at the $3.5 million and $3 million levels, the security level might be assessed to be very good and good, respectively. By assigning different qualitative adjectives to different overall levels of funding, the cybersecurity manager is alerting senior management to the danger of funding below the requested level. For example, funding below $3 million may be deemed unacceptable in terms of meeting the cybersecurity objectives specified in the first step.

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above