One can say that the real purpose of Information Security is to preserve value: the value of intellectual property, transactions, access to and dissemination of information, values of commodities and currencies, and so on. Recent news puts a number on that value: consider the recent Verizon acquisition of Yahoo, with an initial agreement price of $4.8 billion being reduced by over 7%, or $350 million, after revelations that Yahoo had experienced two massive security breaches affecting more than 1 billion users.
There are seemingly intangible costs such as devaluation due to loss of reputation, but there are real-world examples of that, too. A video that went viral a few years ago regarding United Airline’s mishandling of luggage by airline personnel, resulting in the destruction of musical instruments, is thought to be the cause of a 10% ($180M) drop in their stock price. More recently, publicity about the forceful removal of passengers has had a similar effect. Harvard has conducted studies that show a difference of 1 star on a Yelp review results in a 9% change in client base and revenue. Unhappy customers have a real negative impact on your business – and news releases about security breaches make customers unhappy.
Highly publicized retail breaches, ransomware running wild among health care providers, state-sponsored attacks, DDoS used as a weapon and as a diversion while threat actors rob financials, and more have resulted in the average large company spending $15 million per year battling cybercrime, businesses in the healthcare and financial services sectors on record as spending up to and beyond $100 million to battle cybercrime each year. The average InfoSec spend for all US businesses is $1.3 million. This leads stakeholders such as Boards of Directors to ask serious questions about Return On Investment, or ROI. This can also be referred to as ROSI – Return On Security Investment.
Pitching a security initiative to your CFO without a good value proposition based on ROI is a very tough sell. Many would regard security as insurance, and nobody wants to have to buy insurance. Showing security initiatives with strong ROI portrays them as sound investments.
Beckstrom’s Law is a method of computing ROI by showing the value of a security initiative. Rod Beckstrom is an author, high-tech entrepreneur, former CEO and President of ICANN, and previously served as Director of the National Cybersecurity Center within the Department of Homeland Security. Beckstrom’s Law, in its simplest form, states the value of a network as the benefit value of all transactions minus the cost of all transactions.
Value = Benefit – Cost
A simple example would be if it costs a person $25 to buy a book in a store, and $15 to buy it online, the value of the network to that person is $10. If that applies to 1000 people, the network’s value is $10,000. If there are ten similar scenarios every work day, $100,000. Knowing that there are 365 days a year, with an average 261 of them being work days, the network is potentially worth $26.1 million over the course of a year.
A minor addition to Beckstrom’s Law reveals Beckstrom’s Law, Security Model: the value of a security initiative is equal to the benefit value of all transactions minus the cost of the security investments minus the amount of residual loss (in the form of lost productivity and corresponding manpower costs, lost revenue, labor cost to remediate, etc.).
V = B – SI – L
For example, if a car is worth $25,000, and a security alarm system costs $2500; and a thief attempts to break in, aborting his attempt due to triggering the alarm after causing $500 in damage to the car’s locks; the value of the security system is $22,000.
V = B – SI – L
V = $25,000 – $2500 – $500
V = $22,000
I applied this reasoning some years ago after doing analysis on a global company’s anti-virus systems. They were getting a high volume of viruses for a company of their size (approx. 2500 employees), with as many as 1000 per month in India alone – the US was substantially less than that, and EMEA had nearly no virus occurrence. Virus occurrences that resulted in an offline scan or re-image took an average of 3 hours to remediate. Considering that the average salary for an employee at that company was $75 per hour including all benefits and that both a help desk tech and the infected employee were involved, such incidents cost $450 each. Over the course of a year, 4500 such virus incidents occurred, representing over $2 million of labor costs in the form of productivity lost. If virus incidence could be reduced by 25%, it would be worth $500,000. Other residual losses such as missed deadlines and incomplete tasking were estimated at $5000 monthly.
Establishment of forensics procedures to determine the root cause of these cases, i.e. how the viruses were gained, showed that there were four main ways that user equipment was infected.
- Surfing of adult content (almost always off-premises where there was no web filter)
- Use of torrents (80% Intellectual Property violation, 20% of content carries malware)
- Use of thumb drives which had autoplay on them, often borrowed from others
I needed a cost-effective way to enforce acceptable use to make those behaviors impossible on the corporate laptop. I found it in endpoint agents of the day: Kaspersky, Sophos, McAfee, and Checkpoint all had endpoint agents that had web filtering, application control, device control and AV in one installation.
- Web filtering would prohibit adult content surfing even when off premises since the endpoint agent went with the laptop everywhere
- Application Control would prevent torrents from being installed, and if they were already there, would prevent their execution
- Device Control would disable autoplay on thumb drives
- The agents were tamper-proof
- I could procure my choice from a bake-off of these products for licensing that had a negotiated cost $75,000 per year
For Phishing Training, I went with ThreatSim, a very economical solution at the time – ThreatSim was acquired by Wombat and is still available.
Applying everything to Beckstrom’s Law, expecting to reduce virus incidents by 25% as a result of deploying the endpoint agent, yields the following, including adjusted residual loss:
V = B – SI – L
V = $500,000 – $75,000 – $45,000
V = $385,000
That’s a decent ROI. What if you could see a 75% reduction in virus incidents?
V = B – SI – L
V = $1,500,000 – $75,000 – $15,000
V = $1,395,000
The value proposition for endpoint agent was extremely compelling, and is even more so today, with contemporary offerings such as Cylance, CrowdStrike, and especially Carbon Black. Beckstrom’s Law can be applied to any security initiative: Professional Security Consulting, Managed Security Services, SOC Implementations, formal Incident Response Plans. Stated as a positive value proposition, you should have predictable success in getting approvals for security initiatives.