The real costs of cyber attacks are difficult to understand. The impacts of cybersecurity are terribly challenging to measure, which creates significant problems for organizations seeking to optimize their risk posture. To properly prioritize security investments, it is crucial to understand the overall risk of loss.
Although managing security is complex, the principles of determining value are relatively straightforward. Every organization, small to large, wants to avoid more loss than the amount of money they spend on security. If, for example, a thief is stealing $10 from you and protection from the theft is $20, then you are left with an economic imbalance in which security costs more than the risk of loss. This is obviously not desirable. If, however, the thief is stealing $100 and the protection still costs only $20, then there is a clear economic benefit, a net gain of $80. The same principle scales to even the most complex organization regardless of the type of loss, whether it be downtime, competitiveness, reputation, or loss of assets.
Without knowing the overall impacts, value calculations are near impossible, which leaves the return on investment (ROI) a vague assumption at best. Possessing a better picture of the costs and the risk of loss is key to understanding the value of investments that reduce such unpleasant ambiguity.
The bad news: Cybersecurity is complex and the damages and opportunity costs are difficult to quantify. So we do what we can, with what we have, and attempt to apply a common-sense filter as a sanity check. But a lack of proficiency leads to inaccuracy, which can result in unfavorable security investments. For example, in early 2015 the FBI estimated the impact of the CryptoWall ransomware by adding up all the complaints submitted to the Internet Crime Complaint Center (IC3). The complaints and reported losses for CryptoWall totaled more than $18 million. At the time, the estimate seemed reasonable, even sizable, given it was a single piece of malware causing so much damage.
The experts, myself included, were wrong. We lacked comprehensive data and similar examples for comparison. In this case, the methodology was not comprehensive and everyone knew it. Not every person being extorted would report their woes to IC3. We all expected an underestimate based upon this model, but we could not do the mental math necessary to generate a more accurate figure. So we held to the data we had. In reality, the estimate was off by more than an order of magnitude.
Just a few months later, the Cyber Threat Alliance released a CryptoWall report. The CTA tracked the actual money flowing from the malware to Bitcoin wallets, the payment mechanism used by the criminals for victims to pay the ransom. One benefit of cryptocurrencies is that the transactions are public, even though the identities of the parties are obscured. The CTA’s analysis shows, thanks to the public nature of the blockchain transactions, that CryptoWall was earning $325 million.
That is a huge difference! From believing $18 million in damages to having superior data showing $325 million in paid ransoms is a great improvement in understanding. The accurate figure provides a much clearer portrait of the problem and gives people better data to decide the value of security measures. But we must still recognize this is not the full story. Although the CTA did a great job of showing the ill-gotten gains of the ransomware campaign, the report still falls short of the even larger realization of loss and impact. The analysis does not capture the harm to those who chose not to pay, the amount of time and frustration every infected person experienced, costs to recover from the attacks and prevent similar future malware infections, and the loss of business, trust, and productivity due to the operational impairments. There are far more pieces to the puzzle to assemble if we are to comprehend the total loss.
It all comes back to value. If a clearer understanding of the total loss and impact were consistently available, would people and organizations invest in more effective security? Perhaps, but maybe not. Regardless, a clearer understanding would give everyone better information to make informed choices. Managing risk is about making good decisions and finding the optimal level of security. Absent a realistic picture of the overall detriments, the community cannot hope to properly weigh their options in a logical way. The shortfall in measuring CrytpoWall’s impact is just one droplet in a sea of examples in which analysts struggle to find the hidden costs of cyber attacks. Multiply these accounting misperceptions across the entire cyber ecosystem and we find ourselves standing on a huge iceberg, worried only about what is on the surface.
In cybersecurity we must question what we believe. It is almost a certainty that we are severely underestimating the overall impact and costs of cyber attacks at a macro scale. If this is true, then our response and investment are also insufficient at the same scale. The industry must uncover the true hidden costs in order to justify the right level of security and strategic direction. Only then will cybersecurity achieve effectiveness and sustainability.