Recently, as noted in a Wall Street Journal article, two profs at the Univ. of Maryland School of Business took a stab at developing a model to help executives “determine the optimal level of investment to protect a given set of information.”
The short answer is: no more than about one-third of the expected cost of the breach. Moreover, they suggest, it doesn’t always pay to spend the biggest amounts to protect the information deemed most vulnerable, as most companies do. Sometimes, that cost is just too high. The professors, Lawrence Gordon and Martin Loeb recommend instead investing in protection for information that is less vulnerable. They suggest a four-step approach they say has proven useful in sorting this all out:
1. Estimate the potential loss from a security breach for each key set of information you hold. At the least, categorize as Low, Medium or High Value.
2. For each set, estimate the likelihood it might be stolen based on your perception of both probability and vulnerability, from Low Threat/Vulnerability to High Threat/Vulnerability. To combine the factors, use a scale rating of 1 to 10 and multiply the two numbers by each other. Thus, you might consider any combined ranking below 30 to be Low, and above 70 to be High. It’s a rough guess, so play it accordingly. Note that highly vulnerable data of little interest to a hacker, or highly interesting but not vulnerable info, fall into a Low threat category.
3. Create a simple grid with all the possibilities from Low Value – Low Threat/Vulnerability through High Value – High Threat/Vulnerability. Plot your data sets on the grid to get a pictorial of where the greatest potential losses lie, not just in terms of cost, but also in terms of likelihood.
4. Focus spending where you can reap the largest net benefits – where the least money will produce the biggest reduction in potential loss.
Since it turns out that many security breaches are shown to have comparatively small financial impact on companies in the majority of cases, it’s all the more reason to use this kind of cost-benefit analysis to allocate finite resources.
Lastly, remember, it’s a framework, not a cure-all. It’s not a magic formula, it’s just “a complement to sound business judgment.”
The full text of an article describing the professors’ thinking can be found in the Sept. 26th edition of the Wall Street Journal.
[Picture credit: John Fay, May, 2011, www.electronici9.com ]