Are cyber-security risks:
- a genuine threat;
- the result of shoddy math; or
- a management consulting conspiracy?
Judging from recent articles, surveys and reports, the answer is "all of the above." There is a lot of confusion and incomplete and/or inaccurate information regarding cyber-security circulating out there.
Investigative reporter Seymour Hersch has argued that national cyber-risk threats are overstated, perhaps intentionally, by firms that make good money bolstering the country's cyber defenses:
"[T]he cartoonish view that a hacker pressing a button could cause the lights to go out across the country is simply wrong," Hersch writes. "There is no national power grid in the United States. There are more than a hundred publicly and privately owned power companies that operate their own lines, with separate computer systems and separate security arrangements. The companies have formed many regional grids, which means that an electrical supplier that found itself under cyber attack would be able to avail itself of power from nearby systems."
Does that mean that organizational cyber-security threats also may be overstated? Not judging from current estimates of cyber-crime-related consumer losses (north of $100 billion globally!) and some very real, embarrassing and expensive instances of cyber attacks on companies, such as Sony Corp. Yet, even Sony's experience indicates that the actual costs of these incidents are difficult to measure, as the company has adjusted its estimates of the cost ($170 million, possibly) downward on at least two occasions.
This uncertainty adds to the already intense complexity of organizational cyber risk management.
A recent op-ed column by two researchers (one of whom works for Microsoft) offers a perspective that risk managers should consider (even though the topic focuses on cyber crime that targets consumers).
The co-authors argue that there is a disconnect between the economics of cyber crime (extremely unfavorable, sort of like the unattractive economics of drug-dealing laid out in "Freakanomics") and conventional wisdom. Of course, much of our conventional wisdom about cyber crime comes from surveys. And that's a problem, as the co-authors assert:
"For one thing," they write, "in numeric surveys, errors are almost always upward: since the amounts of estimated losses must be positive, there's no limit on the upside, but zero is a hard limit on the downside. As a consequence, respondent errors -- or outright lies -- cannot be canceled out. Even worse, errors get amplified when researchers scale between the survey group and the overall population.
"Suppose we asked 5,000 people to report their cybercrime losses," they continue, "which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can't be canceled."
As any CIO or chief security officer will tell you, the estimates of business losses due to cyber crime parallel the surveys of consumer losses. That means any eye-popping numbers that an IT security vendor cites in the white paper he leaves with your CIO after a sales call ought to be treated with skepticism. But that does not mean that cyber risks are unreal or even overstated. The truth is that we don't know the extent of the risk. When risks are relatively immature, the best source of learning usually comes from emerging leading practices at other companies rather than staring at spooky survey data.
For example, when it comes to disclosing incidents of cyber attacks, here's how EMC addressed an incident (one that targeted its security division RSA) in an 8-K statement (used for report important information to shareholders in between quarterly reports):
"Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day. Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.
"Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."
First, it's notable that EMC chose to use an 8-K to share this information; clearly, the company treated the attack as a serious issue that needed to be communicated to shareholders right away in the form of a letter from RSA chairman (and EMC executive vice president) Art Coviello. Second, Coviello's tone and style are instructive: he's clear on what occurred, what the company has learned about the impact of the attack and the actions it is taking in response. He's also brief and to the point.
CFOs, CIOs, security executives and risk officers should expect the information they collect on organization cyber risks to come in a similar format. By doing so, they're more likely to help their companies distinguish genuine risks from inaccurate math.