copyright © 2015 scott borg/u.s. cyber consequences unit. all rights reserved. making economics a...
TRANSCRIPT
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit. All rights reserved.
Making Economics a Making Economics a
Cyber-Security WeaponCyber-Security Weapon
Scott BorgScott BorgDirector (CEO) and Chief EconomistDirector (CEO) and Chief Economist
U.S. Cyber Consequences UnitU.S. Cyber Consequences Unit
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 2
If you are a cyber-security professional, If you are a cyber-security professional, what is your job?what is your job?
(from a business standpoint)(from a business standpoint)
What were you hired for?What were you hired for?
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 3
The ultimate goal of cyber security:The ultimate goal of cyber security:
Reduce Cyber RiskReduce Cyber Risk
But . . . But . . . can you say what this is? can you say what this is?
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 4
RiskRisk ==
Expected Loss Over TimeExpected Loss Over Time ==
Threat x Consequence x VulnerabilitiesThreat x Consequence x Vulnerabilities
Frequency of a given attack type with an associated skill level Frequency of a given attack type with an associated skill level
x Potential business loss from that attack x Potential business loss from that attack
x Extent to which that loss would occur, x Extent to which that loss would occur,
given a specific set of policies and counter-measures given a specific set of policies and counter-measures
= Annualized Expected Loss= Annualized Expected Loss
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 5
Of the three risk factors, Of the three risk factors,
Threat, Consequence, and Vulnerability . . . Threat, Consequence, and Vulnerability . . .
the hardest to understand is the hardest to understand is ConsequenceConsequence
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 6
OUTPUTSOUTPUTS
INPUTSINPUTS
(Inputs are benefits lost)(Inputs are benefits lost)
(Outputs are benefits gained)(Outputs are benefits gained)
SupplierSupplier
CustomerCustomer
Value Value CreationCreation
What does a business or government agency do to create value?What does a business or government agency do to create value?
Businesses take Inputs Businesses take Inputs and turn them into Outputs.and turn them into Outputs.
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 7
OUTPUTSOUTPUTS
INPUTSINPUTS
OpportunityOpportunityCostCost
Willingness-Willingness-to-Payto-Pay
SupplierSupplier
CustomerCustomer
Total ValueTotal ValueCreatedCreatedValue Value
CreationCreation
MEASURING A PRODUCTIVE ACTIVITYMEASURING A PRODUCTIVE ACTIVITY
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 8
OpportunityCost
Willingness-to-Pay
Supplier
Customer
Willingness-to-Pay
OpportunityCost
A CHANGE IN THE VALUE CREATED: WHAT SUBSTITUTES
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 9
9
Protecting “High Value Assets” Is the Wrong Approach!Protecting “High Value Assets” Is the Wrong Approach!
The value of an asset The value of an asset doesn’t correlatedoesn’t correlate with with damage that could be done by attacking itdamage that could be done by attacking it
Value in business Value in business doesn’t reside in thingsdoesn’t reside in things; value ; value is something the business is continually creatingis something the business is continually creating
Value is created by Value is created by the way things work togetherthe way things work together, , not by their separate outputsnot by their separate outputs
Cyber attacks can do serious damage Cyber attacks can do serious damage without doing without doing anything observable to assetsanything observable to assets
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 10
Threat x Consequence x Vulnerabilities = RiskThreat x Consequence x Vulnerabilities = Risk
Frequency of a given attack type x Potential Loss x Extent to which the loss Frequency of a given attack type x Potential Loss x Extent to which the loss would occur = Annualized Expected Losswould occur = Annualized Expected Loss
Making Cyber Risk Quantitative by Unpacking the Making Cyber Risk Quantitative by Unpacking the ComponentsComponents
THREAT
Attackers
Motives
Targets
Capabilities
IV. Undermining
III. Discrediting
II. Corrupting
I. Interrupting
Business Effects
Value Differential
CONSEQUENCEVULNERABILITIES
2 3 4 5
Fin
dab
le
Pen
etra
ble
Co
rru
pti
ble
Co
nce
alab
le
Irre
vers
ible
1
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 11
Being able to estimate cyber risk and say how it is Being able to estimate cyber risk and say how it is changed by different cyber-security measures . . . changed by different cyber-security measures . . .
Will give you an Will give you an objective basisobjective basis for every cyber-security for every cyber-security choicechoice
Will justify your Will justify your budgetbudget
Will allow you to determine the Will allow you to determine the ROIROI for your activities for your activities
Will give you a solid Will give you a solid business defensebusiness defense of your actions if of your actions if something goes wrong (i.e., save your job)something goes wrong (i.e., save your job)
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 12
But estimating cyber risk is hard, because But estimating cyber risk is hard, because you might not know enough yet about . . .you might not know enough yet about . . .
The potential The potential attackersattackers, their motives, how they choose , their motives, how they choose attacks, what their capabilities are, and how these factors are attacks, what their capabilities are, and how these factors are changing over timechanging over time
Where and how your organization creates Where and how your organization creates valuevalue, where its , where its potential liabilities are, and what would happen in the event of potential liabilities are, and what would happen in the event of an attackan attack
How your organization’s How your organization’s vulnerabilitiesvulnerabilities would affect attacker would affect attacker activities and success ratesactivities and success rates collectivelycollectively, rather than one-by-one, rather than one-by-one
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 13
What should you do in the meantime?What should you do in the meantime?
(if you don’t have enough information to estimate risks)(if you don’t have enough information to estimate risks)
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 14
You already know a lot about how to do this!You already know a lot about how to do this!
The stepping-stone goal for cyber security:The stepping-stone goal for cyber security:
Increase Attacker CostsIncrease Attacker Costs
(while holding down attacker gains)(while holding down attacker gains)
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 15
Ask yourself Ask yourself ——
What hurdlesWhat hurdles would an attacker need to overcome to carry would an attacker need to overcome to carry out a profitable attack? (Hint: never just penetration)out a profitable attack? (Hint: never just penetration)
How much time and skill How much time and skill would it take to overcome these would it take to overcome these hurdles?hurdles?
How can the time and skill required from an attacker be How can the time and skill required from an attacker be most effectively increasedmost effectively increased??
You will probably find you can even make quantitative You will probably find you can even make quantitative estimates of these things!estimates of these things!
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 16
Attacker cost is the real guide to hitting Attacker cost is the real guide to hitting attackers where it hurts!attackers where it hurts!
(Even a modest-sized business can typically (Even a modest-sized business can typically increase attacker costs by a factor of 10 or 100!) increase attacker costs by a factor of 10 or 100!)
This is how to make the game of cyber This is how to make the game of cyber security into one you can win!security into one you can win!
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 17
If you can make the costs of attacking your If you can make the costs of attacking your systems greater than the benefits from attacking systems greater than the benefits from attacking them, you have won absolutely!them, you have won absolutely!
If you can make the return-on-investment for If you can make the return-on-investment for attacking your organization considerably worse attacking your organization considerably worse than for attacking another target, you have won than for attacking another target, you have won relatively!relatively!
Winning:Winning:
Not as good a guide as quantifying risk (notice why!), Not as good a guide as quantifying risk (notice why!), but the next best thingbut the next best thing
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 18
What economics is most fundamentally about:What economics is most fundamentally about:
Not cash flows and markets!Not cash flows and markets!
Maximizing the benefits gained, relative toMaximizing the benefits gained, relative to the benefits lost. the benefits lost.
Attackers are already thinking this way.Attackers are already thinking this way.
You should be too!You should be too!
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit 19
For more information or permission to use this For more information or permission to use this material, please contact:material, please contact:
Scott BorgScott Borg
U.S. Cyber Consequences UnitU.S. Cyber Consequences Unit
P.O. Box 1390P.O. Box 1390
Norwich, VT 05055Norwich, VT 05055
[email protected]@usccu.us