A Cost-Benefit Analysis Approach to Cyber Security

When it comes to cyber security, there are no guarantees. Uncertainty is a natural and unavoidable feature of the risk landscape. After all, the game is always changing, and you never know what threats are lurking around the next corner.

This was never more true than in 2020, when COVID-19 disrupted the way organisations worked and prompted a growing reliance on technology — creating vulnerabilities that translated into an increase in cyber-attacks. 

Protecting your organisation’s network is all about taking calculated risks and reducing threats. That’s why, in addition to making the right investments, a smart cyber security and threat mitigation strategy should account for uncertainty by emphasising agility and supporting continual assessment.

But how can you ensure that you’re making space for uncertainty in your strategy, as well as communicating its importance to the board? In most cases, the best way is through embarking upon a thorough cyber risk assessment and cost-benefit analysis.

Suggested reading: If you need help explaining cyber security to leadership, check out our free toolkit — Board Presentation Template: Cyber Security and Threat Management.

What is Cost-Benefit Analysis in Cyber?

Cost-benefit analysis (CBA) is a method used to evaluate a project by comparing its losses and gains — essentially a quantified and qualified list of pros and cons. CBA is a useful way to assess business projects because it reduces the evaluation complexity to a single price figure. As you can imagine, this makes CBA an invaluable tool when it comes to explaining the intricacies and selling the value of a robust cyber security strategy to key stakeholders.

Pro tip: Today’s executives report being more open to new cyber security strategies than ever before. In 2020, 50% of executives said that they were willing to consider cyber security as a factor in every business decision (compared to only 25% the previous year). Use this as an opportunity to build foundations that will help create a sustainable and safe future. 

Pay Now or Pay Later — The Cyber Security Dilemma

One of the most important things to emphasise in your CBA is the inherent trade-off between paying to prevent a mess versus paying to clean up a mess. In 2020, attacks cost governments and businesses a whopping $1 trillion — that’s 1% of global GDP. For individual companies, the average cost of a single data breach stood at $3.6 million. While UK insurers now offer cover for ransomware demands — relieving some of the financial pressure on businesses — the ‘hidden’ costs of an attack can still have a devastating effect on operations and a company’s bottom line. For instance:

• In 2020, organisations spent an average of approximately £2.9 million pounds recovering from security incidents, while the average lifecycle of a breach (from occurrence to containment) spanned 11 months.
• Nearly 80% of companies experienced downtime due to cyber security incidents.
• Lost business costs (including customer turnover and the effects of reputational damage) accounted for approximately 40% of the average total cost of a data breach, reaching an all-time average high of $1.52 million in 2020.

Of course, investing in preventative cyber security measures also comes at a cost. In 2020, global spending on cyber security reached an estimated $123 billion. By 2022, this number is on track to top $133 billion.

With that said, there is no reliable way to measure a ‘typical’ cyber security budget, as spending varies from business to business and industry to industry. A Gartner report indicates that the average company spends anywhere from 1% to 13% of its IT budget on cyber security. In the often-targeted financial service sector, that figure stands at around 10%. Amongst large enterprises, 50% spend at least $1 million on cyber security each year, with another 43% spending at least $250,000. 

Despite these variations, one thing remains crystal clear: for most businesses, the cost of prevention pales in comparison to the cost of a breach. 

Getting Started with a Risk Assessment

If you’re serious about proving the value of investing in a strong, agile cyber security system to stakeholders, the best place to begin is with a risk assessment. A cyber security risk assessment is about identifying your business priorities, determining the risks you are willing to accept and comparing those with the benefits.

Undergoing a risk assessment requires you to answer key questions, such as:

• What are your most important IT assets?
• How does your organisation collect and store its data?
• What are your vulnerabilities, both internal and external?
• What specific threats (malware, hackers, system disasters, human error, etc.) do you face?
• What’s the likelihood of your organisation falling victim to a cyber-attack?
• How might a cyber-attack or data breach affect your business financially, operationally and reputationally?
• What level of risk is your organisation willing to accept?

The answers to these questions will form the foundation of a robust strategy — and they’ll also give you the information you need to complete a CBA so that you can more persuasively sell this strategy to the board. 

Applying a Cost-Benefit Analysis to Your Risk Assessment

Remember, applying a CBA to your risk assessment is all about determining the risks you are willing to accept and comparing the costs of those risks against the benefits. This involves thinking about the direct and indirect risks you face, as well as the direct and indirect costs that could arise as a result of taking these risks. Examples of each include:

• Direct costs: Ransom payments, or expenditure associated with identifying, mitigating and quarantining a threat. 
• Indirect costs: Downtime, operational disruption, reputational damage, time and internal resources, and legal and non-compliance fees. 

It’s helpful to think about both direct and indirect factors when applying a CBA to your risk management strategy. For instance, you might compare:

• The cost of business income disruption (direct) and lost productivity (indirect) due to a ransomware attack vs the cost of preventing a data breach by investing in an endpoint security system.
• The cost of operational disruption (direct) and a decrease in future revenues (indirect) vs the cost of preventing an attack by investing in building an in-house team.

Much of a CBA involves coming up with options that you could undertake to achieve your project’s objectives — so you’ll want to keep breaking things down and playing with various risks, costs and outcomes. For instance, you might look at the costs vs benefits of factors like:

• Varying timescales for executing the strategy, or different components of the strategy.
• Various budgets for the project. The NIST Cyber Security Framework and the Gordon-Loeb Model can be helpful here — for example, they reason that organisations should generally spend less than 37% of the expected loss from a cyber security breach on the preventative/strategic budget.
• The costs of outsourcing cyber security services vs achieving them in-house.
• The potential costs of protecting individual data assets and vulnerabilities vs the cost of these assets being breached.

Strategising effectively is all about placing risk within the context of your own business and its unique appetite for risk. However, you’ll probably start to see a pattern emerge: preventative cyber security measures usually more than pay for themselves — particularly if approached in a cost-effective way. 

Pro tip: To really highlight a cyber security strategy’s value to stakeholders, you might also find it helpful to include a ‘do nothing’ or ‘do minimum’ option.

Doing More with Less

At the end of the day, you should always be looking for the most effective way to deliver the outcomes you need. There is generally a cost/benefit trade-off between investment and risk. However, not all investments are equally costly.

For example, endpoint security systems partnered with managed detection response (MDR) services, such as those we offer at Six Degrees, are a great paired solution that delivers increased security and agility at limited cost. MDR and endpoint is also an ideal response to the challenges created by remote working and remote access that are likely to define much of 2021 and beyond. 

To learn more, read What is MDR?

Simply put, upfront investment with strategic partners delivers more robust security outcomes than the alternatives. One of the greatest benefits of forming a strategic partnership with a managed service is that they provide access to economies of scale, allowing you to sidestep the cyber security skills shortage. 

In addition to delivering on-demand talent, working with a service provider enables you to:

• Develop a more flexible, iterative and future-proof approach to cyber security.
• Gain access to insider threat intelligence and risk insights.
• Stay focused on core business competencies.

Pro tip: Full protection is never guaranteed. In the unfortunate event of an attack or failure, savvy management and effective response can significantly reduce the impact on your business — another instance of the benefit outweighing the cost. 

Preventative Action Can Be Cheaper  

Risk management is all about managing uncertainties. When it comes to preventing costly attacks, there’s significant value to be found in investing upfront in order to avoid paying a higher price later. 

Ultimately, cyber security is a journey, not a destination. Any investment you make should be agile and flexible enough to meet both current and future demands. Six Degrees offers the capabilities and expertise you need to ensure business continuity in 2021 and beyond. 

Ready to learn more about how we can keep your business secure? Get in touch today!