Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit. All rights reserved. Making Economics a Cyber-Security Weapon Scott Borg Director (CEO) and Chief.

Published byReginald Powers Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit. All rights reserved. Making Economics a Cyber-Security Weapon Scott Borg Director (CEO) and Chief."— Presentation transcript:

1 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit. All rights reserved. Making Economics a Cyber-Security Weapon Scott Borg Director (CEO) and Chief Economist U.S. Cyber Consequences Unit

2 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit2 If you are a cyber-security professional, what is your job? (from a business standpoint) (from a business standpoint) What were you hired for?

3 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit3 The ultimate goal of cyber security: Reduce Cyber Risk Reduce Cyber Risk But... can you say what this is?

4 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit4 Risk= Expected Loss Over Time= Threat x Consequence x Vulnerabilities Risk = Expected Loss Over Time = Threat x Consequence x Vulnerabilities Frequency of a given attack type with an associated skill level x Potential business loss from that attack x Extent to which that loss would occur, given a specific set of policies and counter-measures Frequency of a given attack type with an associated skill level x Potential business loss from that attack x Extent to which that loss would occur, given a specific set of policies and counter-measures = Annualized Expected Loss = Annualized Expected Loss

5 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit5 Of the three risk factors, Threat, Consequence, and Vulnerability... the hardest to understand is Consequence the hardest to understand is Consequence

6 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit6 OUTPUTS INPUTS (Inputs are benefits lost) (Outputs are benefits gained) Supplier Customer Value Creation What does a business or government agency do to create value? Businesses take Inputs and turn them into Outputs.

7 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit7 OUTPUTS INPUTS Opportunity Cost Willingness- to-Pay Supplier Customer Total Value Created Value Creation MEASURING A PRODUCTIVE ACTIVITY

8 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit8 Opportunity Cost Willingness- to-Pay Supplier Customer Willingness- to-Pay Opportunity Cost A CHANGE IN THE VALUE CREATED: WHAT SUBSTITUTES

9 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit9 9 Protecting “High Value Assets” Is the Wrong Approach! The value of an asset doesn’t correlate with damage that could be done by attacking it The value of an asset doesn’t correlate with damage that could be done by attacking it Value in business doesn’t reside in things; value is something the business is continually creating Value in business doesn’t reside in things; value is something the business is continually creating Value is created by the way things work together, not by their separate outputs Value is created by the way things work together, not by their separate outputs Cyber attacks can do serious damage without doing anything observable to assets Cyber attacks can do serious damage without doing anything observable to assets

10 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit10 Threat x Consequence x Vulnerabilities = Risk Frequency of a given attack type x Potential Loss x Extent to which the loss would occur = Annualized Expected Loss Frequency of a given attack type x Potential Loss x Extent to which the loss would occur = Annualized Expected Loss Making Cyber Risk Quantitative by Unpacking the Components THREAT Attackers Motives Targets Capabilities IV. Undermining III. Discrediting II. Corrupting I. Interrupting Business Effects Value Differential CONSEQUENCE VULNERABILITIES 23 4 5 Findable Penetrable Corruptible Concealable Irreversible 1

11 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit11 Being able to estimate cyber risk and say how it is changed by different cyber-security measures... Will give you an objective basis for every cyber-security choice Will give you an objective basis for every cyber-security choice Will justify your budget Will justify your budget Will allow you to determine the ROI for your activities Will allow you to determine the ROI for your activities Will give you a solid business defense of your actions if something goes wrong (i.e., save your job) Will give you a solid business defense of your actions if something goes wrong (i.e., save your job)

12 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit12 But estimating cyber risk is hard, because you might not know enough yet about...  The potential attackers, their motives, how they choose attacks, what their capabilities are, and how these factors are changing over time  Where and how your organization creates value, where its potential liabilities are, and what would happen in the event of an attack  How your organization’s vulnerabilities would affect attacker activities and success rates collectively, rather than one-by-one

13 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit13 What should you do in the meantime? (if you don’t have enough information to estimate risks)

14 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit14 You already know a lot about how to do this! The stepping-stone goal for cyber security: Increase Attacker Costs Increase Attacker Costs (while holding down attacker gains) (while holding down attacker gains)

15 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit15 Ask yourself — What hurdles would an attacker need to overcome to carry out a profitable attack? (Hint: never just penetration) How much time and skill would it take to overcome these hurdles? How can the time and skill required from an attacker be most effectively increased? You will probably find you can even make quantitative estimates of these things!

16 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit16 Attacker cost is the real guide to hitting attackers where it hurts! (Even a modest-sized business can typically increase attacker costs by a factor of 10 or 100!) (Even a modest-sized business can typically increase attacker costs by a factor of 10 or 100!) This is how to make the game of cyber security into one you can win!

17 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit17  If you can make the costs of attacking your systems greater than the benefits from attacking them, you have won absolutely!  If you can make the return-on-investment for attacking your organization considerably worse than for attacking another target, you have won relatively! Winning: Not as good a guide as quantifying risk (notice why!), but the next best thing

18 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit18 What economics is most fundamentally about: Not cash flows and markets! Not cash flows and markets! Maximizing the benefits gained, relative to the benefits lost. Maximizing the benefits gained, relative to the benefits lost. Attackers are already thinking this way. You should be too!

19 Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit19 For more information or permission to use this material, please contact: For more information or permission to use this material, please contact: Scott Borg U.S. Cyber Consequences Unit P.O. Box 1390 Norwich, VT 05055 scott.borg@usccu.us

Download ppt "Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit. All rights reserved. Making Economics a Cyber-Security Weapon Scott Borg Director (CEO) and Chief."

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.

RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.
Capital Structure Theory Under Three Special Cases

Capital Structure Theory Under Three Special Cases
City of Leesburg Electric Department City of Leesburg Electric Department CIP-001 Sabotage Reporting.

City of Leesburg Electric Department City of Leesburg Electric Department CIP-001 Sabotage Reporting.
Office of Operations 2009 Fall Conference Navigating Uncertain Times October 21-22, 2009 Risk Assessment and Internal Controls Internal Controls Anna Tomassacci.

Office of Operations 2009 Fall Conference Navigating Uncertain Times October 21-22, 2009 Risk Assessment and Internal Controls Internal Controls Anna Tomassacci.
Three-way choice Option Price Option Value Real Options Calls & Puts Endogenous/Exogenous Option Price Option Value Real Options Calls & Puts Endogenous/Exogenous.

Three-way choice Option Price Option Value Real Options Calls & Puts Endogenous/Exogenous Option Price Option Value Real Options Calls & Puts Endogenous/Exogenous.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
1 Decision making under large uncertainty * Marie-Laure Guillerminet * * ZMK, University of Hamburg Atlantis Meeting January 24 th, 2003.

1 Decision making under large uncertainty * Marie-Laure Guillerminet * * ZMK, University of Hamburg Atlantis Meeting January 24 th, 2003.
Event Planning with the matrix Adapted from and used with the permission of Texas A & M University,

Event Planning with the matrix Adapted from and used with the permission of Texas A & M University,
Randy Marchany VA Tech Computing Center

Randy Marchany VA Tech Computing Center
Competing for Advantage

Competing for Advantage
Dyson and the bagless vacuum cleaner

Dyson and the bagless vacuum cleaner
MY RULES OF TRADING Dr. Daniel Daves www.basicsforsuccess.com 1. Don’t Be A Trade-A-Holic ! FDon’t be the guy who needs to be in the market at all times.

MY RULES OF TRADING Dr. Daniel Daves 1. Don’t Be A Trade-A-Holic ! FDon’t be the guy who needs to be in the market at all times.
Effectively applying ISO9001:2000 clauses 5 and 8

Effectively applying ISO9001:2000 clauses 5 and 8
INVESTING BECAUSE I SAY SO. AND YOU COULD POTENTIALLY EARN YOURSELF A BUNCH OF MONEY…

INVESTING BECAUSE I SAY SO. AND YOU COULD POTENTIALLY EARN YOURSELF A BUNCH OF MONEY…
GSC: Standardization Advancing Global Communications 1 The New US-CCU Cyber-Security Check List SOURCE:U.S. Cyber Consequences Unit (Submitted by TIA)

GSC: Standardization Advancing Global Communications 1 The New US-CCU Cyber-Security Check List SOURCE:U.S. Cyber Consequences Unit (Submitted by TIA)
1 Chapter 1: What is Finance? Copyright © Prentice Hall Inc. 2000. Author: Nick Bagley, bdellaSoft, Inc. Objective To Define Finance The Value of Finance.

1 Chapter 1: What is Finance? Copyright © Prentice Hall Inc Author: Nick Bagley, bdellaSoft, Inc. Objective To Define Finance The Value of Finance.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
PRM 702 Project Risk Management Lecture #28

PRM 702 Project Risk Management Lecture #28
Conostix S.A. Sensible defence.

Conostix S.A. Sensible defence.

Similar presentations

Ads by Google