This research aims to show a possible model for a decision making approach for cybersecurity investment in Small and Medium Enterprises (SMEs).
The scope of cyber attacks on organizations is endless, but the budget isn't. In fact, according to a report published by Deloitte and NASCIO, 75.5% of CISOs cited insufficient budget as the major challenge in their job to protect their organizations from attacks. SMEs are commonly heavily restricted by the available funding for cybersecurity. Nonetheless, SMEs' CISOs need to figure out how to protect their enterprise with a budget that can't cover all their vulnerabilities.
There are two aspects of the costs the enterprise will have to bear when implementing a security strategy, namely:
- The direct cost of the particular defense, and
- The impact that defense will have on the business, i.e. either on the operation system, or the users of the system.
The direct (1) and indirect (2) costs represent the core of the decision-making protocol invented by the researchers during the research.
The research investigated only commodity cyber threats against SMEs, where attackers are using known and available attack vector against a defendable vulnerability. Zero-day attacks were excluded from the protocol. Researchers took into consideration the fact that defenders aim to defend every vector possible, as attackers may use them.
The defense provided by optimal restricted budget allocation can only be as strong as the defense of the weakest target. The weakest target will probably be the preferred attack vector by the attacker, who can potentially attack if any attack vector exists. Therefore, it is important to build a model that takes into consideration not only costs but also the differentiation between attack vectors.
The model is based on 6 main properties that formulate the sub-properties between them, namely:
- Different security controls – for example, patch management.
- The direct cost of each control implementation (explained above).
- The indirect cost of the control implementation (explained above).
- The level the control implemented – controls can be implemented at different levels. However, the higher the level, the greater the control implemented.
- The depth of the data asset - this refers to the importance of the data asset the organization may lose in a commodity attack. The higher the depth, the more confidential data this asset holds.
- Potential business damage – besides data theft, other damages caused by cyber attacks may accrue such as business disruption, and reputation damage.
The model describes the interaction between two players: the defender (D), and the attacker (A). D has an available cybersecurity budget (B) that she needs to invest in implementing cybersecurity controls to protect her commodity from cyber attacks.
The cybersecurity plan she will eventually build will depend on how many different control types and implementation levels can be combined in a proportional manner (considering data depth and potential damage), in order to mitigate vulnerabilities.
The model is flexible, thus allowing the defender to use mixed strategies in different ways to adjust to different requirements. In order to illustrate it, let us consider this example:
Taking, for example, a security control entitled 'Vulnerability Scanning and Automated Patching'. Let's assume that there are 5 different implementation levels i.e. [0,1,2,3, and 4,] where level 2 equals regular scanning and level 4 real-time scanning. A mixed strategy [0,0,0.7,0,0.3] determines this: 0.3 real-time (level 4) is for the 30% most important devices (considering data depth and potential damage), while 0.7 regular scanning (level 2) is for the remaining 70% of devices.
This 'mixed strategy' model encourages trying to define where in the system it is most effective to implement the control. This definition process will be part of a risk assessment methodology where a logical ordering of the most important devices is done. The importance is based on the perceived risk of the device or the user. Taking this approach will usually lead to protecting the devices at the highest depth with the strictest controls where possible, then assessing lower leveled controls to devices or users that operate at lower depths. A good approach will often be to order users and devices specifically for each control based on vulnerability, instead of having a logical ordering across the organization for all controls (without any separation).
SANS Top 20 Critical Security Controls case study:
A case study attack was built from a set of CVEs and CWEs which a conventional SME networked system would be expected to face, as well as several social engineering-based attacks. The controls used in this case study were derived from the SANS Top 20 Critical Security Controls and covered several types of defensive strategy such as:
- Security software
- System configuration
- Policy development
- Network security tools
- Administration tools
- Education and training
Several solutions were suggested according to several budget sizes. The direct costs of each control were normalized, as each organization has different configuration of system term and sizes. Indirect costs were categorized into: 1. System performance: reduction in speed or capability of the system to perform. 2. User morale: the impact of the control on the behavior of the system's user. 3. Retraining: additional requirements from users of the system to be able to use this control.
Smallest budget best strategy:
The optimal solution for low budgets suggests implementing Patch Management and Network Firewalls at level two (control implementation level) with Anti-Malware and Secure Configurations at the most basic implementation level. In addition, it is recommended to implement an Incident Response Policy which, despite some minimal effects, covers predominantly social engineering targets, but still has a small cost.
Medium budget best strategy:
The optimal solution here will be to implement Anti-Malware and Secure Configurations in the same fashion as the smallest budget solution. Patch Management should be implemented at the highest level such that it would be performed on demand. Patches should be checked on a daily basis and implemented as soon as possible. In addition, Account Management Control on a yearly inventory logging is also recommended. The implementation recommends a strict account management control system that limits the potential of misuse of accounts and escalation of privileges or access to sensitive data. Additionally, Web Application Firewalls should be added to Network Firewalls. Using this solution, Incident Report Handling control is not necessary, as its addition has too minimal an impact to justify the costs. Two other controls implemented in the solution are Automated Inventory Scanning and basic Intrusion Detection Systems.
Biggest budget best strategy:
The optimal solution here also relies on medium and smallest budget solutions with several changes. This solution recommends implementing Network Firewalls at a lower level while maintaining a strict implementation of Web Application Firewalls. In addition, Inventory Management tools are now implemented at a higher level, moving from yearly inventory logging to weekly. The optimal solution now recommends using Intrusion Prevention Systems instead of Intrusion Detection Systems, which operate to cover more vulnerabilities than Network Firewalls, but are more costly to implement. Another additional control suggested is a yearly User Education and Training which is used to improve several social engineering-based attacks.
The results from the experimentation show some consistency regarding the basic controls that should be implemented on every budget level. In all the cases, the implementation of a rigorous Patching policy is recommended where possible, as well as Anti-Malware, Firewalls and Secured Configurations. The main conclusion of this model case study is that a combination of all of these four controls covers each vulnerability in the case study to some degree. This means that by increasing the level of any one of those controls, an observable reduction of damage to the system is guaranteed. Taking into consideration the indirect costs of each control, the implementation of an additional control will only serve to reduce the impact of the vulnerability by a fraction of its maximum efficiency, while its costs will remain the same. That means that after certain values, it becomes more costly to the organization to implement the control rather than to bear the additional risk that they might have mitigated by doing that.