A business case for cybersecurity spending

Related Links

Risk management critical for FISMA success

The starting point in making the business case for cybersecurity investments is to clearly specify the objectives (or goals) of such activities. In general terms, the objective is to minimize security intrusions subject to cost constraints. However, organizations must recognize from the start that some cybersecurity breaches will occur. That is, 100 percent cybersecurity — zero security breaches — is essentially neither technically feasible nor economically rational. Of course, it is important to specify the general cybersecurity objective in more specific and operational terms. This means that cybersecurity managers need to specify the maximum likelihood of breaches that is deemed acceptable for the different classes of breaches. A derivative goal is to continually focus on reducing the maximum acceptable likelihood of breaches over time.

By approaching the cybersecurity objectives in this manner, it is possible to establish benchmarks for the maximum acceptable loss for each class of potential breach — such as breaches related to information confidentiality, integrity or availability. These benchmarks can then be compared to expected losses from cybersecurity breaches without additional security expenditures. The difference between the benchmarks and the expected cybersecurity losses without additional security expenditures represents the targeted benefits — cost savings — required from additional spending on security. In essence, these targeted benefits represent the minimum objectives of additional cybersecurity expenditures.

Identify alternatives
Once the objectives related to cybersecurity have been clearly specified, the next step is to identify different ways to achieve those objectives. In other words, this step requires a delineation of the various options available for achieving the cybersecurity objectives specified in the first step. Firewalls, access controls, intrusion-detection systems and appropriate information security personnel are just a few of the alternative means of reducing the likelihood of computer system breaches that need to be considered. For example, how many and what types of firewalls are available?

In addition, consideration should be given to the different combinations of firewalls, access control mechanisms, and/or information security personnel. The trade-off between outsourcing various parts of the organization’s cybersecurity activities or keeping them in-house also needs to be identified at this step of making the business case.

Once the various alternatives have been identified, the next step is to gather the data required to conduct a cost/benefit analysis for each alternative. This step is primarily concerned with delineating the estimates of the various costs and benefits — cost savings — associated with each alternative identified. The costs of the cybersecurity for each alternative should be based on the various combinations of cybersecurity activities — including computer networks, firewalls, access control mechanisms, intrusion-detection systems, and/or information security personnel. The benefits of each alternative could be estimated by completing a spreadsheet derived from the Cybersecurity Cost Grid. [The grid’s coordinates are data confidentiality, data availability and data integrity on one axis and direct and indirect costs on the other.] Of course, since the benefits are derived from potential cost savings, the type of cybersecurity employed will directly affect the estimate of such benefits. Thus, the cost grid would need to be completed for different combinations of cybersecurity activities.

Cost/benefit analysis
Once the various alternatives and related data have been clearly identified and gathered, the next step is to conduct the actual cost/benefit analysis and rank-order the various options based on the results of the analysis. This analysis and rank ordering can initially be done in terms of financial concerns. For example, the net present value (NPV) of the various options could be computed and the ranking could be done in terms of the NPV — highest to lowest net benefits, for example — for each alternative.

The nonfinancial information gathered should be used to modify, where appropriate, the purely financial rankings. One way to consider the nonfinancial aspects would be to assign a subjective relative weight to the financial results. For example, a scale of 1 to 7 — with 7 being the highest — could be applied to the various alternatives and multiplied by the financial results.

This step should culminate with a rank ordering of funding priorities and requests for organizational resources related to cybersecurity activities. Since cybersecurity managers are competing for scarce organizational resources, it is unrealistic to expect all cybersecurity activities with a positive NPV to be funded. Thus, a useful approach would be to attach some overall qualitative measure of security to different levels of funding. For example, at the $4 million request level, the firm’s cybersecurity might be judged to be excellent — which is not equivalent to 100 percent security — but at the $3.5 million and $3 million levels, the security level might be assessed to be very good and good, respectively. By assigning different qualitative adjectives to different overall levels of funding, the cybersecurity manager is alerting senior management to the danger of funding below the requested level. For example, funding below $3 million may be deemed unacceptable in terms of meeting the cybersecurity objectives specified in the first step.