October 5, 2017 By Rick M Robinson 2 min read

When things go wrong with computer systems and networks, whether due to ordinary mishaps or malicious actors, the organizations that rely on those systems and networks are put at risk. They may suffer direct financial losses, reputational damage or both, with effects ranging from inconvenience to total loss and liquidation of the enterprise.

Understanding these hazards and their consequences is what risk analysis is all about. It may seem obvious, but too many organizations — and even security professionals — have lost sight of the importance of risk management. They are often so focused on efforts to describe security expenditures in terms of return on investment (ROI) that they fail to adequately account for risks. Security ROI computations tend to be meaningless without the proper context of a risk analysis.

The Challenges of Risk Analysis

In most cases, according to Errata Security, organizations “don’t have a sophisticated enough risk matrix in order to plug in some ROI numbers to reduce cost/risk.” Instead, the risk assessment numbers on which an ROI computation is supposedly based are often generated by outside vendors or security engineers with little basis in reality.

This challenge is particularly great because security risks are moving targets driven by malicious actors. In industries such as energy and utilities, risk analysis is relatively straightforward because the threats come almost entirely from accidental mishaps. These risks can be assessed and computed based on engineering experience.

In contrast, security risks depend on technological considerations, such as potential points of vulnerability, as well as the “whims and fads of the hacker community,” according to Errata Security. Because the technology is rapidly evolving and the ecosystem is deeply layered, risk assessment needs to consider not only vulnerabilities that exist now, but also new ones that may develop in the future.

The Architecture of Security

For these interrelated reasons, trying to encapsulate security spending needs in terms of ROI is an artificial exercise. The presentation may sound crisp and businesslike, but it is so full of hidden asterisks that it is essentially meaningless.

So what should guide security professionals and business leaders to help them determine the right level of spending on cybersecurity? Errata recommended thinking about security engineering as analogous to architecture — not computer architecture, but the concrete and steel kind. When designers plan a building, they know they will need to provide a certain number of bathrooms to accommodate the building’s users, a calculation that requires no ROI computation.

Security is not an obscure mystery. We know the basic things we need to do to protect our systems and networks against cyberthreats, and we know how to mitigate the effects of damaging attacks. We need to take action, not seek assurance from fanciful ROI computations.

Listen to the six-part podcast series: A CISO’s Guide to Obtaining Budget

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today