Black Hat 2020: Security Needs Better Data for Better Policies
One thing that binds business leaders together, regardless of company size or industry, is that they have to make key decisions. From personnel choices to budget priorities, leaders are constantly examining data and deciding between different options.
But what if the information they’re basing their decisions on is skewed? What if it doesn’t take the right things into consideration? What if the data isn’t accurately represented?
That is exactly what is happening when it comes to security, according to research presented this week at Black Hat USA 2020. Virginia Tech University professor and Cyentia Institute co-founder Wade Baker said that some well-known cybersecurity statistics, such as the notion that 60 percent of small businesses close within six months of a data breach, are widely repeated despite the original source of the information being unclear. To put that number into perspective, he said that early studies have shown that up to 50 percent of small businesses have been forced to close as a result of the COVID-19 pandemic.
“So this, in a sense, is saying that a single cyberattack is more disastrous for a small company than months and months of lost business from COVID,” Baker said. “And you can see why this would potentially drive some policy changes.”
Baker and Cyentia senior data scientist David Severski detailed why organizations may not be looking at security data the right way, and how to change that to ensure that businesses leaders are making the right decisions.
Security Data Focuses on the Wrong Things
Presenting the cost of an average breach can be a good way to convince business leaders to take security seriously. However, that cost is often calculated on a cost-per-record model. That model is flawed, Severski said.
For example, a report released earlier this year calculated that cloud misconfigurations cost companies $5 trillion from 2018 to 2019. Severski said that while that may seem reasonable across 196 breaches and 33 billion records being exposed, it doesn’t necessarily make sense if you take it a step further.
“For instance, $5 trillion is 25 percent of the U.S. gross domestic product. That’s huge,” Severski said. “Speaking from a world economy perspective, that’s 3.5 percent of the global economy, or to put it into a different perspective, that is $1.5 trillion more than the U.S. spends on healthcare alone.”
Severski said that this number is calculated from an average cost per record of $150, but using that average doesn’t provide a clear picture because the costs of breaches vary too widely.
“It is very spread out,” said Severski, adding that while a cryptocurrency breach cost $50 million per record, another breach cost only 3 millionths of a cent per record.
“Taking $150 cost per record is flat-out wrong,” he said. “And actually, it greatly underestimates the cost of large breaches and overestimates the cost of small breaches.”
Those overestimates and underestimates can lead to ill-informed policies and priorities.
How Security Data Needs to Change
If the typical way breaches are assessed doesn’t show the whole picture, how should professionals be looking at security data? In their research, Severski and Wade found that changing the focus of the metrics is beneficial.
“We can say for the day that we have in our dataset of real, publicly disclosable breaches, the typical cost is about $200,000,” Severski said. “Now, if you compare that against the average loss, which is just taking all the losses and dividing it by the number of events that we have, we have an average loss of $19 million. And that’s saying that 9 out of 10 breaches are less than what is the average or typical loss here. So using a standard arithmetical mean, if you want to be fancy about it, or a typical average is a bad way of estimating losses.”
The goal isn’t to downplay cyberthreats, Severski said, but rather to better understand what that threat actually is. From there, business leaders can make better decisions for their organizations.
“We can actually do better,” he said. “This is a very exciting time in terms of where the industry is at a maturity level. Risk managers, policymakers, security researchers can do better than this.”
“We can create much better models and actually have much better policy decisions that are driving from these models,” Severski said.