INVITATION TO CYBERSECURITY 100 tack, in addition to the direct damage done by the attack and the lost work and productivity, there will be costs to investigate the incident and remediate the damage and potential legal expenses as well. They may also have to pay fines if they were out of compliance with cybersecurity regulations, and in addition to these costs, they may suffer reputation harm that will damage future business prospects. When businesses face this reality, they recognize that when they spend money on cybersecurity, they are actually saving money in the long run. As more organizations adapt to this reality, costs across industries rise, and those costs are passed onto consumers in the form of higher prices. So in the end, society ends up bearing the costs of cyber-insecurity, and it is a drain on the national economy. Military and intelligence organizations prioritize cybersecurity over productivity. They are not driven to make a profit, the data and systems they manage pose a national security threat, and they are a major target for elite hackers. Therefore, they are more likely to take significant cybersecurity measures that end up high and right in Figure 5.1. One unfortunately side-effect that can happen in this quadrant is if cybersecurity becomes too burdensome for employees, they may undercut security to make it easier for them to do their job, potentially making the organization less secure despite the high costs. For example, these types of organizations may have strict and cumbersome password requirements with short password expiration dates. This may lead to employees writing down their continually changing passwords and leaving them where others could potentially find them. Ironically, draconian password policies can increase other cybersecurity risks, like insider threats and evil maid attacks, and potentially reduce the organization’s cybersecurity posture overall. In one real world example, a photo taken inside a Hawaiian government agency in 2017 and published in a national news story exposed the password “Warningpoint2.” The password was written on a post-it note and stuck to a computer monitor in the background of the photo. Cybersecurity enthusiasts were quick to point out the poor cybersecurity practice. Some cybersecurity measures are invisible to users and have no impact on employee productivity, like installing a high-quality versus a low-quality lock on the server room door. Of course, the better lock will cost more, so it will be relatively higher and to the right in the diagram in Figure 5.1. Therefore, this purchasing decision, too, involves a cost tradeoff. 5.3 The Cyber Risk Management Process As we have seen, cybersecurity boils down to a risk calculation. There is no limit to the amount of resources that could be consumed by cybersecurity, but every penny spent and measure taken cuts into profits, so the big question is how should cybersecurity expenses be allocated and prioritized? To answer this question organizations engage in the cyber risk management process. Cyber risk management is a detailed process of identifying cyber assets, enumerating how threats and vulnerabilities pose risks to assets, analyzing the severity of the risks, and then choosing how to handle the risks. As discussed
RkJQdWJsaXNoZXIy MTM4ODY=