A discussion of The Law of Diminishing Returns and Cybersecurity Investment.

The Cybersecurity Price Quandary

A reasonably good anti-virus product with a bundled firewall can be acquired for less than a dollar per month. Some companies pay ten to a hundred times that for an advanced endpoint detection product or a managed detection service. Larger companies frequently spend hundreds of thousands of dollars – sometimes millions – to create a security operations center (SoC).
Why is there this huge disparity in terms of cost if, alone, none of them protect a company against all threats?

A Lesson from Natural Disasters

The same considerations must be made when taking precautions against natural disasters. Countermeasures work only against specific threats.
When a hurricane is bearing down on a coastal town, boarding up the windows might be an effective measure against a normal seasonal storm, but it will have a limited effect against a Category 5 hurricane. Alternatively, you’d invest more into earthquake-proofing a building if it were built on the San Andreas Fault than if it were built on the flat, fault-free Canadian prairies.
The same goes for cybersecurity: it’s important to develop a risk management framework that’s reflective of the level of cyber protection your business needs.

3 Steps to Cyber Risk Management

There are numerous frameworks for cyber risk management, and they all boil down to the following 3 steps:
  1. Evaluate remaining risk
  2. Check remaining risk against the risk tolerance of the organization
  3. If within tolerance level, accept risk. If outside tolerance level, apply a countermeasure and re-evaluate risk or transfer risk to a 3rd party (e.g. buy insurance)

Evaluating Risk

To evaluate remaining risk, calculate the expected value (EV) of possible threat scenarios. Risk is generally expressed as:
>Risk = Probability x Impact
You’d also use this equation to calculate the odds of winning the lottery or playing casino games. However, if the roulette comes out on “SQL injection exploit in your web applications”, you lose big instead of winning a lot of money.

Enterprise Risk Tolerance

Based on the business’s tolerance for risk, there will be threshold at which risk is acceptable and thresholds at which the risk is unacceptable.
For example, a bank may extend a mortgage to someone with a sizeable amount of money in the bank and a stable income without batting an eye. However, the bank will not lend the same money to an itinerant person dependent on aluminum returns for their income.
In both cases, neither person is zero-risk: either customer could default on their loan. For the first person, the risk sits within an acceptable threshold. For the second person, the risk sits outside the acceptable threshold. This risk thresholds are usually represented through a grid as seen in Figure 1.
Risk Matrix - Typical Depiction
Events that happen very rarely (low probability) and cause little financial or operation harm (low impact) are considered acceptable. Events that happen frequently (high probability) and threaten the survival of the company (high risk) are unacceptable risk, as represented by the color coding on the chart. Situations in the middle get a bit murkier and usually vary based on the culture of the company. Taking on more risk typically comes with more rewards.

Applying a Countermeasure

By applying a countermeasure, risk previously deemed too high can be reduced.
Consider the scenario where your business relies on a web service that is affected by a new vulnerability. An unauthenticated remote code execution vulnerability was made public in hacker circles and is currently being exploited in the wild. You would have a fairly high chance of suffering from an attack because your web services are exposed. Now that the vulnerability is public, anyone could abuse the vulnerability.
Triggering the vulnerability would allow an attacker to take control of your server and access all of your client data. This breach could destroy your business. However, the vendor came out with a patch that fixes the hole and changes the web service architecture. The vulnerable section of code no longer runs with high privileges. If you apply the new patch, hackers will no longer be able to gain control of your machine (unless they develop a 0-day attack, which is much less likely. Even if someone manages to trigger a similar vulnerability, the impact will be less severe). This new change in risk is illustrated in Figure 2.

Risk Countermeasure Matrix

In the following example, we can see that the residual risk (risk that persists after having applied the countermeasure) is now within the acceptable zone.
Unfortunately, the type of one-stop solution described above is rarely available, so we use layered countermeasures.

Relying on Layered Countermeasures

Figure 3 refers to the example of the web server and shows the application of successive mitigations. In this instance, the fix applies a web-application firewall in an attempt to prevent an attacker from triggering the vulnerability. The risk is still unacceptable. In response, the server is moved to a sandbox or chroot jail to limit the impact if the vulnerability is triggered.
Repeat Effect Matrix
We’ll touch on this concept of  “defence-in-depth” in future instalments of this blog.

The Law of Diminishing Returns and Cybersecurity Investments

The price of security services and products is not directly linked to the value of the return on risk.
The first countermeasure greatly reduces the risk of a breach. Broadly applicable commodity products, like firewalls and AV, detect widespread threats very inexpensively but, these basic tools don’t detect threats like living-off-the-land malware or previously unknown binaries.
The remaining risks are more exotic and less likely, but still, they could significantly impact or even destroy your business. The cost to address these exotic risks is generally higher. These risks require more effort and know-how to counter the stealth techniques used by the hackers.
This can create a barrier to entry for small and medium businesses (SMBs). These businesses may not have the resources (either financial or human) to acquire and operate the high-end countermeasures. That means residual risk is left exposed, placing SMBs in an unacceptable risk position.
All of this is part of why we, at CYDEF, think everyone should feel safe to do business online. We work hard to deliver enterprise grade security for a cost SMBs can afford. To learn more about our endpoint detection and response solutions, or our managed detection options, get in touch.