While it's maybe too harsh to classify IT security and return on investment (ROI) as an oxymoron, it is fair to say that efforts to specify an ROI or return on security investment (ROSI) have fallen short of perfection, despite the best intentions of the industry.
It had seemed that risk might provide the right hook for understanding how security provides positive financial returns. The concept of ROSI was about applying risk to ROI but defining risk objectively or accurately is tricky. Indeed, sometimes risk analysis has seemed to rely on equations that multiply and divide a good deal of assumption, guess work and hunches.
Nonetheless, risk is critical to how we should evaluate security ROI, but we have tended to think of it more in relation to vulnerabilities than threats. But what is a threat? To be very clear, threats are a ‘who'. We too often talk about a threat as a piece of code, but need to focus on the person(s) behind an attack and their capabilities and motives to do harm.
This was the trigger for the concept of adversary ROI that myself and Josh Corman of Akamai have formulated together and started to talk about publicly this year.
Let me explain. At the heart of adversary ROI is the simple idea that the IT security professionals would benefit hugely from evaluating the perspectives of their adversaries and understanding their motivations. Adversaries want assets and vulnerabilities are a means to that end.
They don't care whether you spend one or ten per cent of your IT budget on security. As results oriented individuals, what they do care about is that they get a return on investment from an attack, not you.
By seeking to manage vulnerabilities alone we risk missing the point of what drives IT security attacks. To an adversary, a new vulnerability is like a new product innovation or introduction arriving on the market. There is a wave of adoption that starts from early adopters who might be nation states with lots of resources, it peaks at early and late majority, often with organised criminals with a business mentality, and then slowly falls away into laggard stages with script kiddies trying to squeeze out any final returns.
The problem for the IT security industry is the main approach of our defences depend on solutions, and we often don't recognise the extensive time lag between an attack innovation and a vendor developing and providing a solution before another wave of vulnerability exploitation strikes.
We need to implement strategies to impact how we can reduce the ROI of our adversaries. Taking an adversary's point of view, you need to consider the value of the attack set against the collective costs and risks for them. With this in mind, we can formulate strategies and tactics that can affect and degrade our attackers' ROI.
There are some things that you can't really affect, for example reducing the value of what is attacked (we want our assets to continue to gain in value), while the costs of getting caught are driven by regulation and law enforcement, which are often outside of your control.
But where we can impact the adversary's ROI is how we raise the cost of the attack and thus, increase the work effort required by the adversary, affecting their returns. Equally we can ensure that we have sufficient ability to respond and recover quickly and robustly to an attack, taking the edge off the damage.
To do this correctly, your tactics need to be driven based on your adversary. Adversaries clearly aren't all the same both in the assets they target and the varying skill sets, resources and motivations, For example, motivations aren't simply financial for all classes of adversaries, and can include military, ideological, political and even prestige.
In many ways, the key question to ask is what adversary(s) want which asset(s)? This is where your organisation needs to get non-security executives involved and to ask not only what protected or sensitive information exists, but what adversaries are interested in it, and how would the adversary value it?
Notably this may differ significantly by adversary class. For example, a chaotic adversary will put greater value on how it can disrupt a company website for a long period, whereas organised crime would value customer data that can be monetised.
By combining analysis of who or what the most likely adversaries are, what assets they are likely to target and their likely capabilities and motivations; you have the basis to re-align your IT security strategy with greater precision and better use of your own resources.
David Etue is vice president of corporate development strategy at SafeNet