Budgeting for Cybersecurity

Anonymous

Question Description

Prepare a two-page briefing paper (5 to 7 paragraphs) for the senior leadership and corporate board of Red Clay Renovations which addresses planning (what do we need to do?), programming (how will we do it?), and budgeting (how will we pay for it?) processes for IT security program management.

1. Use the company profile and enterprise architecture diagrams to identify five or more riskswhich require a financial investment. Financial investments should be categorized as: people investments, process investments, and/or technology investments.

2. Choose one of the four strategies for reducing the costs associated with responding to cyberattacks from the Rand report (A Framework for Programming and Budgeting for Cybersecurity):

Minimize Exposure

Neutralize Attacks

Increase Resilience

Accelerate Recovery

3. Discuss how your selected strategy (make it clear which strategy you selected) can be used in the planning (what do we need to do?) and programming (how will we do it?) phases of budget preparation to identify less costly solutions for implementing technical, operational, and management controls.

Provide in-text citations and references for 3 or more authoritative sources. Put the reference list at the end of your posting.

http://www.rand.org/content/dam/rand/pubs/tools/TL100/TL186/RAND_TL186.pdf

https://danielmiessler.com/study/information-security-metrics/

https://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security-investment/at_download/fullReport

https://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Prepare-for-the-Exam/Study-Materials/Documents/Developing-a-Successful-Governance-Strategy.pdf

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf

https://csrc.nist.gov/publications/detail/sp/800-55/rev-1/final


Unformatted Attachment Preview

Introduction to Return on Security Investment Helping CERTs assessing the cost of (lack of) security [Deliverable – December 2012] Introduction to Return on Security Investment Helping CERTs assessing the cost of (lack of) security About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its Member States, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU Member States in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU Member States by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu Follow us on Facebook Twitter LinkedIn YouTube & RSS feeds Contact details To contact ENISA for this report please use the following details:  E-mail: opsec@enisa.europa.eu  Internet: http://www.enisa.europa.eu Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be an action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as amended by Regulation (EC) No 1007/2008. This publication does not necessarily represent state-of the-art and it might be updated from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. Member States are not responsible for the outcomes of the study. This publication is intended for educational and information purposes only. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Reproduction is authorised provided the source is acknowledged. © European Network and Information Security Agency (ENISA) 2012 I Introduction to Return on Security Investment II Helping CERTs assessing the cost of (lack of) security Contents 1 Executive Summary ............................................................................................................... 1 2 The need for ROSI calculation ............................................................................................... 2 3 4 2.1 Answers to important questions .................................................................................... 2 2.2 The false notion of security investment......................................................................... 2 Methodology for ROSI calculation ........................................................................................ 4 3.1 Basic concepts of risk assessment .................................................................................. 4 3.2 ROSI calculation .............................................................................................................. 5 The limits of ROSI .................................................................................................................. 7 4.1 The drawback of estimation ........................................................................................... 7 4.2 Gordon & Loeb Model .................................................................................................... 7 5 Assessing the cost-effectiveness of CERTs ............................................................................ 9 6 Remaining issues and further reading ................................................................................ 11 7 Conclusion ........................................................................................................................... 13 8 Annex I: References ............................................................................................................ 14 Introduction to Return on Security Investment Helping CERTs assessing the cost of (lack of) security 1 Executive Summary As for any organization, CERTs need to measure their cost-effectiveness, to justify their budget usage and provide supportive arguments for their next budget claim. But organizations often have difficulties to accurately measure the effectiveness and the cost of their information security activities. The reason for that is that security is not usually an investment that provides profit but loss prevention. So what is the right amount an organization should invest in protecting information? The aim of this document is to initiate a discussion among CERTs to create basic tools and best practices to calculate their Return on Security Investment (ROSI). This key notion is essential when justifying costs engagement and budgets for those entities that deal with security on a regular basis (security departments, CERTs, etc.). Although the methods outlined here are straightforward, their application to the real world should take into account a general tendency to misevaluate the actual cost of an incident, a central notion of the ROSI calculation. While being controversial, the Gordon & Loeb Model1 is an attempt to ease the finding of the optimal level of investment to protect a given asset. Due to the diversity of their nature, funding models and capabilities, calculating the return on investment of CERTs has to go beyond a single ROSI calculation. In fact, assessing the costeffectiveness of CERTs should take into account the beneficial actions that CERTs achieve by contributing to detect, handle, recover from and deter incidents early and efficiently. And, the earlier an incident is handled, the less expensive is its mitigation. The profitability of a CERT is therefore assessed by determining the difference of incident handing costs with the help of CERT versus not having a CERT. 1 “The Economics of Information Security Investment “, Lawrence Gordon and Martin Loeb, http://ns1.geoip.clamav.net/~mfelegyhazi/courses/BMEVIHIAV15/readings/04_GordonL02economics_security_investment.pdf 1 Introduction to Return on Security Investment 2 Helping CERTs assessing the cost of (lack of) security 2 The need for ROSI calculation 2.1 Answers to important questions Return on investment In every public or private organisation, each budget investment has to be justified and its effectiveness is often evaluated afterward. In finance, this evaluation is called the Return on investment or rate of return. The ROI is calculated as follow: Example of ROI calculation: Alice would like to run a lemonade business for summer. She needs money for setting up the business. Bob gives her 200€ to start her business. In return, Alice agrees to give Bob 50% of the benefits. At the end of summer, Alice made 1000€ of benefits. Bob gets 500€. Bob’s Return on Investment is calculated as follow: Return on security investment The concept of the ROI calculation applies to every investment. Security is no exception. As stated in ENISA’s work program 2012, “executive decision-makers want to know the impact security is having on the bottom line. In order to know how much they should spend on security, they need to know how much is the lack of security costing to the business and what are the most cost-effective solutions.” Applied to security, a Return On Security Investment (ROSI) calculation can provide quantitative answers to essential financial questions: - Is an organization paying too much for its security? What financial impact on productivity could have lack of security? When is the security investment enough? Is this security product/organisation beneficial? 2.2 The false notion of security investment The classical financial approach for ROI calculation is not particularly appropriate for measuring security-related initiatives: Security is not generally an investment that results in a profit. Security is more about loss prevention. In other terms, when you invest in security, you don’t expect benefits; you expect to reduce the risks threatening your assets. With this Introduction to Return on Security Investment Helping CERTs assessing the cost of (lack of) security approach, the quantitative assessment the Return on Security Investment is done by calculating how much loss you avoided thanks to your investment. Loss reduction Security Investment The aim of cost-effective security. 3 Introduction to Return on Security Investment 4 Helping CERTs assessing the cost of (lack of) security 3 Methodology for ROSI calculation Assessing security investment involves evaluating how much potential loss could be saved by an investment. Therefore, the monetary value of the investment has to be compared with the monetary value of the risk reduction. This monetary value of risk can be estimated by a quantitative risk assessment. 3.1 Basic concepts of risk assessment Quantitative risk assessment is achieved by determining several components of a risk. The following notions need to be defined: Single Loss Expectancy (SLE) The SLE is the expected amount of money that will be lost when a risk occurs. In this approach, SLE can be considered as the total cost of an incident assuming its single occurrence. Due to the specific nature of cyber incident, the major complexity is to take into account all the assets this incident has an impact on. For instance, a stolen laptop will not only cost the replacement of the laptop itself but will also imply productivity loss, reputation loss, IT support time and, possibly, cost of intellectual property loss. The total cost of an incident should include the cost of direct losses (website downtime, hardware replacement, data loss replacement, etc.) and the cost of indirect losses (investigation time, loss of reputation, impact on image, etc.).2 There are no universal values for SLEs. What will be included in the calculation of the SLE of a specific threat will depend on the business objectives, cultural values and existing security measures. In the end, one entity could estimate the SLE of a stolen laptop to the value of the laptop itself (i.e. 2.000€) while another organisation dealing with highly-sensitive information would value this loss to 100.000 € as it would affect its image, its potential contracts and its competitive advantage. Although the SLE can be evaluated in different ways, the ROSI calculation often implies comparison of different SLEs. Therefore, it is important to be consistent in the way it is calculated. Annual Rate of Occurrence (ARO) The ARO is a measure of the probability that a risk occurs in a year. Again, this data is an approximation and can depend on many factors: the ARO of a flood will depend on geographic factors, the ARO of a disk failure is influenced by the operating temperature, the ARO of a burglary will depend on the location of the asset, etc. And, of course, the ARO is also 2 See detailed Cost of ICT incident calculation exercise, “CERT exercise handbook”, ENISA, 2012 Introduction to Return on Security Investment Helping CERTs assessing the cost of (lack of) security depending on the existing security measures: the ARO of a successful malicious code attack will decrease significantly after implementing an effective anti-virus. Annual Loss Expectancy (ALE) The ALE is the annual monetary loss that can be expected from a specific risk on a specific asset. It is calculated as follow: 3.2 ROSI calculation The ROSI calculation combines the quantitative risk assessment and the cost of implementing security counter measures for this risk. In the end, it compares the ALE with the expected loss saving. Return on Security Investment (ROSI) Following the ROI definition, the ROSI is defined as below: Implementing an effective security solution lowers the ALE: the more a solution is effective, the more reduced is the ALE. This monetary loss reduction can be defined by the difference of the ALE without the security solution versus the modified ALE (mALE) implementing the security solution. Which also equals to the mitigation ratio of the solution applied to the ALE: Example 1: The Acme Corp. is considering investing in an anti-virus solution. Each year, Acme suffers 5 virus attacks (ARO=5). The CSO estimates that each attacks cost approximately 15.000 € in loss of data and productivity (SLE=15.000). The anti-virus solution is expected to block 80% of the attacks (Mitigation ratio=80%) and costs 25.000€ per year (License fees 15.000€ + 10.000€ for trainings, installation, maintenance etc.). The Return on security investment for this solution is then calculated as follow: ( ) According to this ROSI calculation, this anti-virus solution is a cost-effective solution. 5 6 Introduction to Return on Security Investment Helping CERTs assessing the cost of (lack of) security In the end, ROSI calculation is based on 3 variables: estimated potential loss (ALE), estimated risk mitigation, and cost of the solution. If the cost of the solution is easier to predict – provided all indirect costs are considered – the two other variables are estimations that makes ROSI more approximate. Introduction to Return on Security Investment Helping CERTs assessing the cost of (lack of) security The data imperative Imagine you calculate the cost – reputational costs, loss of customers, etc. – of having your company's name in the newspaper after an embarrassing cybersecurity event to be $20 million. Also assume that the odds are 1 in 10,000 of that happening in any one year. ALE says you should spend no more than $2,000 mitigating that risk. So far, so good. But maybe your CFO thinks an incident would cost only $10 million. You can't argue, since we're just estimating. But he just cut your security budget in half. A vendor trying to sell you a product finds a Web analysis claiming that the odds of this happening are actually 1 in 1,000. Accept this new number, and suddenly a product costing 10 times as much is still a good investment. It gets worse when you deal with even more rare and expensive events. Imagine you're in charge of terrorism mitigation at a chlorine plant. What's the cost to your company, in money and reputation, of a large and very deadly explosion? $100 million? $1 billion? $10 billion? And the odds: 1 in a hundred thousand, 1 in a million, 1 in 10 million? Depending on how you answer those two questions -- and any answer is really just a guess -you can justify spending anywhere from $10 to $100,000 annually to mitigate that risk. Source: Bruce Schneier, Security ROI, http://www.schneier.com/blog/archives/ 2008/09/security_roi_1.html 3 4 The limits of ROSI Estimating the amount of money saved from losses that may never happen is a hard task that, in the real world, requires more than straightforward application of simple formulas. 4.1 The drawback of estimation The ROSI calculation is the result of many approximations. The cost of cyber security incidents and annual rate of occurrence are hard to estimate and the resulting numbers can very highly from one environment to another. These approximations are often biased by our perception of the risk and the ROSI calculation can be easily manipulated (See ‘The data imperative’) to serve the user's interest or to justify a decision rather than enlighten it. The accuracy of statistical data used in the ROSI calculation is therefore essential. However, actuarial data on security incidents are hard to find as companies are often reluctant to provide data on their security incidents. Trust your experience It's often a better practice to extrapolate from the organisation's historical data on incidents than to rely on the study of a vendor. In practical terms, if, in the past 5 years, a website has been the target of a denial-of-service attack 6 times then an ARO of 6/5 would be more accurate then a percentage related in any study. 4.2 Gordon & Loeb Model Lawrence Gordon and Martin Loeb are economists at the University of Maryland. Their study, published in 2002, “The Economics of Information Security Investment”3 is well known and often cited (552 references according to Scholar Google). “The Economics of Information Security Investment “, Lawrence Gordon and Martin Loeb, http://ns1.geoip.clamav.net/~mfelegyhazi/courses/BMEVIHIAV15/readings/04_GordonL02economics_security_investment.pdf 7 Introduction to Return on Security Investment 8 Helping CERTs assessing the cost of (lack of) security In their study, the authors state that, contrary to the basics of risk assessments, an asset of greater value should not necessarily benefit from a greater investment to protect it. The optimal information security investment does not always increase proportionately to increases in vulnerability; there is a point at which it is not in the best interest of a firm to make increasingly larger investments in information security. According to this study, “the optimal amount to spend on information security never exceeds 37% of the expected loss resulting from a security breach (and is typically much less that 37%). Hence, the optimal amount to spend on information security would typically be far less than even the expected loss from a security breach”. The Gordon & Loeb model has been questioned by another study4 showing that there was possibly no fixed percentage for optimal investment. These conflicting studies show that ROSI calculation remains an approximate model and that the resulting numbers should be regarded with care. Organisations should consider the results as guidelines rather than strict rules to follow. ROSI calculation will never be perfectly accurate. 4 “On the Gordon&Loeb model for Information Security Investment”, 2006, Jan Willemson, Universtity of Tartu, http://weis2006.econinfosec.org/docs/12.pdf Introduction to Return on Security Investment Helping CERTs assessing the cost of (lack of) security 5 Assessing the cost-effectiveness of CERTs CERTs internally providing services to an entity are “non-profit” organisations; their goal is not to make money but to prevent losses by avoiding, containing and recovering from an incident in a quick and efficient way. Therefore, the cost-effectiveness of CERTs has to be regarded as security investment: their returns on investments are the savings they provide. A factual approach is advised here: ALE is often easier to calculate a posteriori, from more accurate historical data. Therefore, assessing the cost-effectiveness of CERTs can be approximated by assessing the difference of past incident response cost done with CERTs versus what would have been the incident response cost without CERTs. Cyber-attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organisational cost. The average time to resolve a cyber-attack was 24 days, with an average cost to participating organisations of £135,744 over this 24-day period. Results show that malicious insider attacks can take more than 50 days on average to contain. Source Ponemon Study, Oct. 2012 – Cost of cybercrime UK http://www.hpenterprisesecurity.com/collateral/report/HPESP_WP_PonemonCostofCyberCrimeStudy2012_UK.pdf Cost of incident As a rule of thumb, the quicker an incident is detected, the less expensive it is to recover from it. Depending on the type of incident, damages can grow exponentially over time. Therefore the time-saving provided by CERTs activities in incident eradication represents a financial saving in terms of damage and downtime reduction. The actual savings provided by a CERT can then be estimated by summing all the savings provide ...
Purchase answer to see full attachment

Tutor Answer

DoctorArsmtrong
School: Carnegie Mellon University

Hello, the work is complete and I am looking forward to work with you in future.Great moments in your endeavors

Running head: BUDGETING OF CYBERSECURITY

Budgeting for Cybersecurity
Institution Affiliation
Instructor’s Name
Student’s Name
Course Code
Date

1

BUDGETING OF CYBERSECURITY

2

Budgeting Of Cyber Security
In management, IT is critical for the administration to ensures that there is
continuously checking on the possible risks that might be facing their firm. This is to provide
that risks are controlled beforehand and if possible prevented from reoccurring (Davis, Libicki,
Johnson, Kumar, Watson, & Karode, 2016). Some of the dangers found from the analyses of the
case are discussed below. Risks that need people investments, miscommunication; this is lack of
communication. Risks that need process investments, Poor construction; the IT architecture is
meant to be constructed in a way that they cannot be cracked and hence suitable to provide
security. The risk that needs technology investments. Increased mobile access; this involves high
acce...

flag Report DMCA
Review

Anonymous
Excellent job

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors