Spending cybersecurity budget- research based model

This research aims to show a possible model for a decision making approach for cybersecurity investment in Small and Medium Enterprises (SMEs).

The scope of cyber attacks on organizations is endless, but the budget isn't. In fact, according to a report published by Deloitte and NASCIO, 75.5% of CISOs cited insufficient budget as the major challenge in their job to protect their organizations from attacks. SMEs are commonly heavily restricted by the available funding for cybersecurity. Nonetheless, SMEs' CISOs need to figure out how to protect their enterprise with a budget that can't cover all their vulnerabilities.

There are two aspects of the costs the enterprise will have to bear when implementing a security strategy, namely:

The direct cost of the particular defense, and
The impact that defense will have on the business, i.e. either on the operation system, or the users of the system.

The direct (1) and indirect (2) costs represent the core of the decision-making protocol invented by the researchers during the research.

The research investigated only commodity cyber threats against SMEs, where attackers are using known and available attack vector against a defendable vulnerability. Zero-day attacks were excluded from the protocol. Researchers took into consideration the fact that defenders aim to defend every vector possible, as attackers may use them.

The defense provided by optimal restricted budget allocation can only be as strong as the defense of the weakest target. The weakest target will probably be the preferred attack vector by the attacker, who can potentially attack if any attack vector exists. Therefore, it is important to build a model that takes into consideration not only costs but also the differentiation between attack vectors.

Model definition:

The model is based on 6 main properties that formulate the sub-properties between them, namely:

Different security controls – for example, patch management.
The direct cost of each control implementation (explained above).
The indirect cost of the control implementation (explained above).
The level the control implemented – controls can be implemented at different levels. However, the higher the level, the greater the control implemented.
The depth of the data asset - this refers to the importance of the data asset the organization may lose in a commodity attack. The higher the depth, the more confidential data this asset holds.
Potential business damage – besides data theft, other damages caused by cyber attacks may accrue such as business disruption, and reputation damage.

The model describes the interaction between two players: the defender (D), and the attacker (A). D has an available cybersecurity budget (B) that she needs to invest in implementing cybersecurity controls to protect her commodity from cyber attacks.

The cybersecurity plan she will eventually build will depend on how many different control types and implementation levels can be combined in a proportional manner (considering data depth and potential damage), in order to mitigate vulnerabilities.

The model is flexible, thus allowing the defender to use mixed strategies in different ways to adjust to different requirements. In order to illustrate it, let us consider this example:

Taking, for example, a security control entitled 'Vulnerability Scanning and Automated Patching'. Let's assume that there are 5 different implementation levels i.e. [0,1,2,3, and 4,] where level 2 equals regular scanning and level 4 real-time scanning. A mixed strategy [0,0,0.7,0,0.3] determines this: 0.3 real-time (level 4) is for the 30% most important devices (considering data depth and potential damage), while 0.7 regular scanning (level 2) is for the remaining 70% of devices.

This 'mixed strategy' model encourages trying to define where in the system it is most effective to implement the control. This definition process will be part of a risk assessment methodology where a logical ordering of the most important devices is done. The importance is based on the perceived risk of the device or the user. Taking this approach will usually lead to protecting the devices at the highest depth with the strictest controls where possible, then assessing lower leveled controls to devices or users that operate at lower depths. A good approach will often be to order users and devices specifically for each control based on vulnerability, instead of having a logical ordering across the organization for all controls (without any separation).

SANS Top 20 Critical Security Controls case study:

A case study attack was built from a set of CVEs and CWEs which a conventional SME networked system would be expected to face, as well as several social engineering-based attacks. The controls used in this case study were derived from the SANS Top 20 Critical Security Controls and covered several types of defensive strategy such as:

Security software
System configuration
Policy development
Network security tools
Administration tools
Education and training

Several solutions were suggested according to several budget sizes. The direct costs of each control were normalized, as each organization has different configuration of system term and sizes. Indirect costs were categorized into: 1. System performance: reduction in speed or capability of the system to perform. 2. User morale: the impact of the control on the behavior of the system's user. 3. Retraining: additional requirements from users of the system to be able to use this control.

Hardening IT infrastructure-servers to applications

Smallest budget best strategy:

The optimal solution for low budgets suggests implementing Patch Management and Network Firewalls at level two (control implementation level) with Anti-Malware and Secure Configurations at the most basic implementation level. In addition, it is recommended to implement an Incident Response Policy which, despite some minimal effects, covers predominantly social engineering targets, but still has a small cost.

Medium budget best strategy:

The optimal solution here will be to implement Anti-Malware and Secure Configurations in the same fashion as the smallest budget solution. Patch Management should be implemented at the highest level such that it would be performed on demand. Patches should be checked on a daily basis and implemented as soon as possible. In addition, Account Management Control on a yearly inventory logging is also recommended. The implementation recommends a strict account management control system that limits the potential of misuse of accounts and escalation of privileges or access to sensitive data. Additionally, Web Application Firewalls should be added to Network Firewalls. Using this solution, Incident Report Handling control is not necessary, as its addition has too minimal an impact to justify the costs. Two other controls implemented in the solution are Automated Inventory Scanning and basic Intrusion Detection Systems.

Biggest budget best strategy:

The optimal solution here also relies on medium and smallest budget solutions with several changes. This solution recommends implementing Network Firewalls at a lower level while maintaining a strict implementation of Web Application Firewalls. In addition, Inventory Management tools are now implemented at a higher level, moving from yearly inventory logging to weekly. The optimal solution now recommends using Intrusion Prevention Systems instead of Intrusion Detection Systems, which operate to cover more vulnerabilities than Network Firewalls, but are more costly to implement. Another additional control suggested is a yearly User Education and Training which is used to improve several social engineering-based attacks.

The results from the experimentation show some consistency regarding the basic controls that should be implemented on every budget level. In all the cases, the implementation of a rigorous Patching policy is recommended where possible, as well as Anti-Malware, Firewalls and Secured Configurations. The main conclusion of this model case study is that a combination of all of these four controls covers each vulnerability in the case study to some degree. This means that by increasing the level of any one of those controls, an observable reduction of damage to the system is guaranteed. Taking into consideration the indirect costs of each control, the implementation of an additional control will only serve to reduce the impact of the vulnerability by a fraction of its maximum efficiency, while its costs will remain the same. That means that after certain values, it becomes more costly to the organization to implement the control rather than to bear the additional risk that they might have mitigated by doing that.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Spending cybersecurity budget- research based model

Model definition:

SANS Top 20 Critical Security Controls case study:

Smallest budget best strategy:

Medium budget best strategy:

Biggest budget best strategy:

Subscribe to Email Updates

You might be interested

Experience a personalized demo