Companies making cybersecurity a greater priority, but hackers may still be gaining

Libicki and Ablon say several of the study’s findings surprised them. They found that it was the effect of a cyberattack on reputation — rather than direct costs — that worried most chief information security officers. It matters less what actual data is affected than the fact that any data is put at risk.

However, the process of estimating those losses is not particularly comprehensive, and the ability to understand and articulate an organization’s risk from network penetrations in a standard and consistent manner does not exist — and may not exist for the foreseeable future.

RAND created a framework that portrays the struggle of organizations to minimize the cost arising from insecurity in cyberspace over a 10-year period. Those costs include the losses from cyberattack, the direct costs of training users, and the direct cost of buying and using cyber safety tools.

Additional costs also must be factored in, including the indirect costs associated with restrictions on employees using their personal devices on company networks and the indirect costs of air-gapping — ensuring a computer network is physically isolated from unsecure networks. This is particularly true for sensitive sub-networks.

The RAND study includes recommendations for both organizations and policymakers. Organizations need to determine what needs to be protected and how badly, including what machines are on a company’s network, what applications are running and what privileges have been established. Employees’ desire to bring their own devices and connect them to the company network also can increase vulnerabilities.

Libicki said most of the chief information security officers who were interviewed were not interested in government efforts to improve cybersecurity. However, the RAND researchers believe government could play a useful role. For example, a government guide outlining how systems fail — similar to guides for aviation and medical fields — could help build a body of knowledge to help educate companies with the goal of developing higher levels of cybersecurity.

The study, The Defender’s Dilemma: Charting a Course Toward Cybersecurity, can be found at www.rand.org. Timothy Webb also co-authored the report.

The release notes that support for the study was provided by Juniper Networks as part of a multiphase study on the future cybersecurity environment. The first study, Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar, examined the cybercrime black markets.

The study was conducted within the Acquisition and Technology Policy Center of the RAND National Security Research Division. The division conducts research and analysis on defense and national security topics for the U.S. and allied defense, foreign policy, homeland security and intelligence communities and foundations and other nongovernmental organizations that support defense and national security analysis.

— Read more in Martin C. Libicki et al., The Defender’s Dilemma: Charting a Course Toward Cybersecurity (RAND Corporation, 2015)