Companies are increasing their spending on cyber-security tools, but are not confident that these investments are actually making their infrastructure more secure. The study, conducted by the US-based RAND corporation and sponsored by Juniper Networks. RAND’s model presents a heuristic economic model to map the major factors and decisions that influence the cost of cyber-risk to organizations and in the process projected the cost to businesses in managing cybersecurity risk will increase nearly 40 percent over the next ten years.
The report titled The Defender’s Dilemma: Charting a Course Toward Cybersecurity, is based on interviews with chief information security officers (CISOs) on the current and emerging threat landscape. It examines the economic drivers for attackers and the sophisticated underground black market they’ve created to scale their efforts.
According to Juniper Networks CISO, Sherry Ryan, “The security industry had struggled to understand the dynamics that influence the true cost of security risks to business.”
She believes what’s clear is that in order for organizations to turn the table on attackers, they need to orient their thinking and investments toward managing risks in addition to threats,” she said.
Security teams need a way to help better understand the economics of managing security risk, the range of variables implicated, and what investments should be made to more efficiently protect infrastructures.
The report claims there are several factors that companies should consider as they evolve their security postures.
Many security tools have a half-life and lose value over time. The firm said attackers are constantly developing countermeasures to new detection systems, such as sandboxing. This dynamic ultimately drives up the amount companies must spend on security technologies to maintain the same level of protection.
Secondly, it is unclear whether the Internet of Things (IoT) will have a positive or negative impact on overall security costs. If companies struggle, IoT would increase losses due to cyber-attacks by 30 per cent over 10 years.
Thirdly, investing in the workforce saves costs over time. Organizations with high skill levels are able to curb the costs of managing security risk by 19 per cent in the first year and 28 per cent by the tenth year when compared to other organizations with low diligence.
The study also says, there is also no one-size-fits-all approach, with the report stated that companies are possibly not employing the optimal economic strategy with investments.
The report stated that if the frequency of software vulnerabilities could be reduced by half, the overall cost of cyber security to companies would decrease by 25 percent.
Source: CXO Today