Bills vs. Risks. How much is your cyber security worth?
How much cyber risk do you have?
Every day I never miss the chance to read once again a quote painted on our office wall from Lord Kelvin, a favorite of Bailey Controls founder E. G. Bailey, who meant to inspire the engineers and scientist he employed. It reads “When you can measure what you are speaking about, and express it in numbers, you know something about it, when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind”.
This applies today to people who make decisions or recommendations about managing the cyber security risk to their operations. These individuals are often I&C engineers or DCS specialists who manage and maintain complex processes using sophisticated controls with years of experience and training. How do they measure and analyze cyber risk? Not very well because they don’t have the instrumentation or training to do so. Relying only on their intuition and common sense puts them at an extreme disadvantage when making risk assessments and mitigation decisions.
I surveyed 170 OT engineers and asked them to identify the greatest cyber threat to operations. Slightly over half cited “malware infected thumb drive or removable media.” When I advised some of them we can solve this problem with a $50,000 investment, the common responses: “that is too much” or “we don’t have budget for that.” They made a decision on behalf of the organization to “accept” this cyber risk with a meager and unsatisfactory knowledge of it.
Another example of a risk decision commonly made without measurement or analysis is the frequency of applying Microsoft security patches to servers and clients. Which scenario poses the greater risk to operations; relying on a server with known operating-system vulnerabilities or applying a patch to a production system? 70% of the respondents cited unpatched servers yet the same audience admitted to patching on a frequency of once every 7-12 months. Their perception of risk was obviously not aligned with that of the decision maker.
Engineers have the foundation of critical thinking necessary to become skilled risk analysts. With the proper tools and training, they can have a framework for analyzing cyber risk in a very credible fashion and provide better recommendations to management, increasing their value to the organization.
A plant manager has limited resources available to address the many business and risk issues on his plate. To make well-informed decisions, he needs accurate information in business terms (financial) to weigh cyber risk against other issues that may affect reliable operations. He needs to know the answer to the questions “how much cyber risk is there?” and “how much less cyber risk will there be if I invest in the recommended security controls?”
Are the answers to these questions quantitative in nature and expressed in financial metrics? If not, the information used to make cyber risk-management decisions is of the “meager and unsatisfactory kind.”