Pervasive and costly cyber attacks are the new normal for all businesses. According to the IBM Cost of a Data Breach Report 2023, 83% of surveyed organizations had experienced more than one data breach.
In this new reality, organizations are recognizing that minimizing breach damage is just as important as breach prevention. As a result, security leaders and the senior leadership team that holds buying authority are looking at cybersecurity investments through new and sometimes conflicting lenses.
Security leaders, focused on defense-in-depth strategy, continuously seek solutions to wrangle their organization’s ever-evolving attack surface, and vet technical solutions accordingly. On the other hand, business-focused stakeholders, conscious of mounting cybersecurity investments, are using new criteria to approve or authorize security purchases.
The recent Change Healthcare ransomware attack is an extreme example of the polarity of cybersecurity investments and their ultimate value, particularly when factoring in breach costs.
With more than $3 billion in revenue, Change Healthcare is one of the nation’s largest healthcare payment management providers. The company handles billions of transactions and sensitive patient data across the U.S. healthcare system. Undoubtedly, Change Healthcare would employ a comprehensive cybersecurity tech stack to guard against threats and have an expansive team of security professionals to manage it.
Yet the Change Healthcare breach is projected to be one of the most damaging ransomware attacks on the U.S. healthcare industry with a confirmed $22 million ransomware payment and a recovery bill projected to cost more than $1 billion.
Ransomware attacks are complex, but they’re often initiated using rudimentary or low-tech techniques. In the case of the Change Healthcare attack, it’s been reported that compromised credentials allowed attackers to remotely access a Change Healthcare Citrix portal that wasn’t protected by multi-factor authentication (MFA).
Despite millions of dollars in cybersecurity tools and resource investments, basic attack techniques are leading to expensive incidents.
Justifying New Cybersecurity
Investments for Breach Prevention
Ensuring and maintaining a robust defense-in-depth strategy requires staying ahead with new technology investments, especially given the rising sophistication of attackers and the ineffectiveness of many standard detection and response tools against ransomware and the rudimentary techniques that they’re using for primary access.
For most organizations, cybersecurity leaders must navigate the reality of limited resources and budgets. Now, not only do they need to justify the security benefits of new technologies but also demonstrate a positive return on security investment (ROSI) for these investments for their business-focused stakeholders.
According to Gartner, IT budgets are increasing, with software spending projected to grow by 13.7% and IT services spending expected to rise by 8.8% in 2024.
Yet, while budgets grow, the purchasing process is changing. For example, today’s security leaders face new purchasing barriers that go beyond technical vetting and require making a business case, which justifies the spending while defining the likelihood of a breach event occurring.
The IBM Cost of a Data Breach Report 2023 revealed that the average cost of a data breach across all industries soared to $4.45 million — a paltry figure when compared to Change Healthcare breach costs, but still a figure that can be business-altering or worse, business-ending for most organizations.
However, the U.S. average cost of breach is significantly higher at $9.48 million. Recovery costs vary widely and include service disruptions, system downtime, financial losses, compliance penalties and legal fees.
Despite clear risks and real-world headlines, stakeholders with a business-oriented mindset may remain skeptical of generalized breach probabilities, as they may not accurately reflect their organization’s specific risk profile. Metrics and standardized tools offer a quantitative means to evaluate the investment in new technologies while aligning it with anticipated risks.
Applying Annual Loss
Expectancy to Quantify Risk
Annual Loss Expectancy (ALE) is actively used in risk assessments and is gaining traction in cybersecurity investment decision-making. ALE quantifies the potential financial ramifications of security investments over a defined timeframe.
ALE is a methodology that aids in the identification and prioritization of security threats by assigning a tangible monetary value to anticipate the annual costs associated with specific security breaches. It helps security leaders build a robust business case around potential technology investments, especially when there may be a perceived overlap or redundancy in existing technologies or investments.
An enhanced ALE calculation factors in a business’s risk tolerance and profile, effectively quantifying the potential risks in the event of a breach. This involves assessing the costs associated with various risk scenarios and gauging their likelihood of occurrence within a given period, considering the efficacy of current security measures.
The ALE value establishes a benchmark for evaluating whether the organization’s control costs align with or surpass the ALE baseline. It also projects annual potential losses, providing insight into the value proposition of security investments, and aiding business stakeholders in endorsing risk mitigation strategies.
The process of calculating ALE involves aggregating the monetary expenses associated with individual security incidents (like a ransomware attack) and multiplying them by the anticipated annual probability of occurrence.
For example: ALE = ARO x SLE
Where:
- ALEis the Annual Loss Expectancy
- AROis the Annual Rate of Occurrence, which represents the estimated frequency of a particular type of security incident occurring throughout the year
- SLE is the Single Loss Expectancy, which represents the estimated financial loss resulting from a single occurrence of the security incident
- SLE is derived from: SLE = AV (Assets Value) X EF (Exposure Factor), exhibiting the expected loss of an asset from a single security incident
This approach helps organizations make informed decisions related to cybersecurity investments while bolstering their resilience against potential threats. The formula serves as a cornerstone for assessing and prioritizing security risks, offering a tangible representation of the expected annual costs associated with specific security incidents.
Tailoring ALE with Organizational Context
While the concept appears straightforward, the application of ALE in every organization demands a nuanced understanding of its unique risk tolerance and profile. This includes weighing the potential costs of various risk scenarios against the likelihood of occurrence within a given timeframe, considering the effectiveness of existing security measures.
An enhanced ALE value not only provides a benchmark for evaluating control costs, but also underscores whether these expenses align with or surpass the ALE baseline. Tailoring ALE to an organization’s context takes several additional factors into account:
- Defining the Value at Risk involves identifying the organization’s most critical data and applications.
- Assessing the current array of security controls in place.
- Evaluating the efficacy of existing controls, with particular emphasis on practical testing methods like red teaming or regular penetration testing to validate their real-world effectiveness.
By incorporating these considerations, organizations can refine their understanding of ALE and leverage it to effectively bolster their cybersecurity posture while optimizing how resources and budget are allocated.
When faced with an ever-changing threat landscape and continuously evolving attack surface more isn’t more when it comes to cybersecurity investments. Applied ALE is a strategy that can empower security leaders with a balanced approach to defense-in-depth planning and business-minded practicality.
About the author: Brad LaPorte, chief marketing officer at Morphisec and a former Gartner analyst, is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the U.S. military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as attack surface management (ASM), extended detection and response (XDR), digital risk protection (DRP) and the foundational elements of continuous threat exposure management (CTEM). His approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak — industry firsts.