Agencies have a finite amount of resources; answering this question involves a resource allocation decision. Finding the optimal level of investment is key.
Few decision makers doubt that a strong cybersecurity posture is crucial for private and public-sector organizations alike. Companies and individuals rely on the Internet to an extent that was unimaginable even 20 years ago. And as recent breaches into both government and corporate databases make clear, the consequences of failing to protect digital assets are severe.
Navigating through the myriad cybersecurity products and services available is a challenge unto itself. How can leaders make the best decisions about protecting their organizations? How much should organizations invest in cybersecurity?
Here is an economics-based framework to consider when building an organization’s cybersecurity strategy, based on the concept of resource allocation. Remember these 3 A’s to uncover the right level of investment.
Analyze potential losses
The first step is to consider what the organization stands to lose if cybercriminals breach its defenses. Public-sector organizations that are responsible for maintaining large databases of individuals’ personal identifying information, for example, stand to incur significant costs to repair a breach, compensate individuals for their stolen information, and restore the organization’s reputation.
Assess the probability of occurrence
How likely is a breach at the organization? Are external forces or internal threats a greater concern? What is the organization’s current cybersecurity posture relative to its digital assets?
Allocate resources appropriately
Finally, conduct a cost-benefit analysis to identify how much certain cybersecurity investments will cost and how much the organization stands to gain from their implementation. When the expected benefits exceed the expected costs, it supports the decision to make additional cybersecurity investments. The optimal level of cybersecurity investment is the point at which there is an equal balance between the expected costs and the expected benefits.
Not all cybersecurity investments are equal. With these three practical steps, every program executive can make better decisions when it comes to investing in cybersecurity.
Contact Herren to learn more about how we can help analyze potential losses, assess the probability of occurrence, and allocate resources appropriately.