The New Economics of Defense: First-of-its-Kind Heuristic Model Assists European Companies to Make Smart Security Investments
RAND Corporation Model Projects a 38 Percent Increase in Cybersecurity Costs Over the Next 10 Years
- Many Security Tools Have a Half-Life and Lose Value: Attackers are constantly developing countermeasures to new detection systems such as sandboxing or anti-virus technologies. This dynamic ultimately drives up the amount companies must spend on security technologies to maintain the same level of protection. RAND’s model projects that over 10 years the effectiveness of these technologies that face countermeasures falls by 65 percent. Companies must carefully evaluate the new tools they invest in, choosing those not prone to countermeasures, and focus on improving security management, automation and policy enforcement across the corporate network.
- The Internet of Things (IoT) is at a Crossroads: According to RAND, IoT will have an impact on overall security costs; however, it’s unclear if it will be positive or negative. If security technologies and management are properly applied to IoT, companies could actually see savings in the long run. On the other hand, if companies struggle to apply security controls effectively, RAND’s model suggests that the introduction of IoT would increase the losses that companies experience due to cyber-attacks by 30 percent over the course of 10 years.
- Investing in the Workforce Leads to Fewer Costs Over Time: Companies can benefit greatly in making people-centric security investments, such as technologies that help automate security management and processes, advanced security training for employees, and hiring additional security staff. According to the RAND model, organizations with very high levels of security diligence are able to curb the costs of managing security risk by 19 percent in the first year and 28 percent by the tenth year when compared to organizations with very low diligence.
- There is No One-Size-Fits-All: Companies are likely not taking the optimal economic strategy with their investments, which should vary greatly from company to company based on their size, type of information that exists and the diligence of security staff. Specifically, RAND found small to medium-sized businesses benefit most from basic tools and policies, while large organizations and high-value targets require investments in a full range of policies and tools given the likelihood that they will be targeted by an advanced attack.
- Eliminating Software Vulnerabilities Leads to Major Cost Reductions: RAND’s model found that one of the most significant security issues that increases the cost to businesses is the number of vulnerabilities in the software and applications being used. RAND’s model found that if the frequency of software vulnerabilities could be reduced by half, the overall cost of cybersecurity to companies would decrease by 25 percent.
- RAND Report: The Defender’s Dilemma: Charting a Course Toward Cybersecurity
- Juniper’s Point of View: The Economics of Defense: Modeling Security Investments Against Risk in an Era of Escalating Cyber Threats
- Juniper Networks RAND Insights Page: https://www.juniper.net/uk/en/insights/rand2015
- Juniper’s Interactive Interpretation of RAND’s Economic Model: Understanding the Economics of Cyber Defense
- Blog & Graphic: Why CISOs Should Care About the RAND Corporation’s New Cybersecurity Research by Sherry Ryan
- Blog: From Anecdotes to Patterns: The Emergence of a Cyber Defense Cost and Risk Model by Rebecca Lawson
- Blog: Talk with Customers about the Cost of Security by Matt Hurley
- Juniper Networks Security: https://www.juniper.net/us/en/products-services/security/
- Juniper.net Community: www.juniper.net/community
- Juniper on Twitter: https://twitter.com/Junipernetworks
- Juniper on Facebook: http://www.facebook.com/JuniperNetworks