1. Figuring out CyberSecurity Return On Investment
ISSA June Meeting

2. Need for a Common Language

3. The path forward Developing a ROI based Strategy to Cybersecurity
Research Risks and Common Threat Sources
Monetize Risks and Prioritize Threats
Discuss and seek approval
Review company asset at risks. Review community and market based security threat reports.
Convert identified risks into monetary loss. Seek insurance premium or calculate annual probability of loss. Calculate costs to combat common and market threat sources
Present risk reduction as annual cost savings to loss against the investment. Present investments in protections against top threat sources

4. Method 1: Analysis of Risks
Cybersecurity investments return value as a Asset Risk Reduction action and a Breach containment reaction

5. Management of known Risks
Risks A($30M), B($25M), and C($15M) is roughly $70M of the $131M total Risk. If the cost of a control is $4M for items A, B, and C. Then, the ROI is $70M/$4M
Look for the Highest risks and costs of controls and/or cybersecurity insurance to bring the risks within tolerance.

6. Method 2: Estimating loss from peers and looking for sources
IBM Security/ Ponemon 2018 Cost of Breach Report
On Average in the US, you have 13.5% probability each year of breach and average cost of $7.91M or $1M/year average

7. Small businesses have a worst experience
The U.S’ National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber attack.
Ponemon 2017 State of Cybersecurity in SMBs
The average cost due to damage or theft of IT assets and infrastructure increased from $879,582 to $1,027,053. The average cost due to disruption to normal operations increased from $955,429 to $1,207,965.

8. What does the future look like?
Total global value at risk to Cybercrime over the next 5 years
Accenture 2019 Cost of Cybercrime Study
For an average G2000 company—with 2018 revenues of US$20 billion—the value at risk translates into an average of 2.8 percent of revenues, or US$580 million, each year for the next five years.
Global value at risk to Cybercrime by Industry over the next 5 years
On Average in the US during the next 5 years, you have 13.5% probability each year of loss equal to 2.8% of future revenues. This doesn’t include existing risks! However, we may be able to use this information to determine unknown existing risks in a careful manner.

9. Breach - Asset Category
What are the sources of Loss?
Breach - Threat Actions
Breach - Asset Category
Verizon’s 2019 Data Breach Investigations Report
Use percentages to derive Loss mitigation against expenses

10. Invest to reduce Loss from attacks
Leverage 2FA or MFA
Educate users against social engineering attacks – 20% of Loss
Leverage next generation endpoint protections
Verizon’s 2019 Data Breach Investigations Report
Endpoint – 30% of Loss
“Training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets.”
Accenture Ninth Annual Cost of Cybercrime Study

11. Invest to reduce Loss from attacks
Obvious stuff:
Audit and patch OS
2019 Trustwave Global Security Report
Routinely scan internet facing applications for vulnerabilities
Audit server configurations of Dev-Ops
Servers and Web Applications – 65% of loss
Leverage Web Application firewalls with threat feeds and patterns

12. Invest to reduce Expense when a Breach occurs or in process
Accenture 2019 Cost of Cybercrime Study
I don’t really have any monetary statistics yet to calculate direct ROI on these investments.
2018 IBM and Ponemon Cost of Breach Report