5. The Approach to Cybersecurity: Cyber Risk Management 99 Figure 5.1 Cybersecurity tradeoffs showing different methods to authenticate users. No solutions in the lower-right quadrant (high cost and weak cybersecurity) should be pursued. It is likely that a lower cost alternative exists that would provide the same level of security, or a same cost alternative exists that would provide better security, so it does not make sense to choose such a solution. Bad cybersecurity solutions are prevalent, however, because while costs are easy to compare, the relative security benefits of technology products are not. This makes the job of cybersecurity even more difficult. Some organizations adopt a follow the leader strategy. To follow the leader means choosing the same cybersecurity solutions that a peer organization in the same sector uses. One incentive to adopt this strategy is that if an organization experiences an incident due to a poor cybersecurity choice, they can argue that “everybody else is doing it” as a way to provide cover. Following the leader can be a good tactic for under-resourced organizations if they choose an appropriate leader to follow. However, this strategy can also be chosen out of laziness to save the work of investigating solutions, and it can cause poor cybersecurity practices to proliferate and create misconceptions of cybersecurity effectiveness. Making these risk calculations (how much cybersecurity is enough?) and understanding these tradeoffs (are the extra costs worth it?) is central to cybersecurity risk management. Network and systems administrators who care most about cybersecurity are naturally pitted against their organization’s management who care most about profits and employees who care most about getting their work done as quickly and easily as possible. Especially at the beginning of the cyberspace era, in most commercial businesses the trade-offs resulted in less costs and poorer cybersecurity. This is understandable because productivity is paramount because productivity leads to revenue. If businesses do not make a profit, they do not stay in business. However, more recently businesses have started to realize the costs associated with poor cybersecurity. Businesses are a major target for hackers, and successful attacks costs businesses a significant amount of money. For example, if a business suffers a cyber at-
RkJQdWJsaXNoZXIy MTM4ODY=