Amid Divisive Politics, Cybersecurity Endures as a Bipartisan Priority

With the 2024 U.S. Presidential election exposing opposing views seemingly on every imaginal issue including campaign spending, U.S. citizens seem more divided today on economic and social issues than since the Civil War. However, one glaring exception to this divide is the importance of cybersecurity in an interconnected digital world of communication systems.

In fact, the previous four U.S. Presidents have emphasized the importance of cybersecurity to the national and economic security of the United States.

The following bears this out.

• President Bush initiated in 2003 “The National Strategy to Secure Cyberspace” focusing on protecting the U.S. critical infrastructure that is essential to the country’s national and economic security.
• President Obama in 2013 issued Executive Order 13636, tasking NIST (National Institute for Standards and Technology) with developing a cybersecurity risk management framework within one year.
• President Trump in 2017 issued Executive Order 13800, requiring federal government agencies to use the cybersecurity risk management framework developed by NIST for managing cybersecurity.
• President Biden in 2021 issued a statement during Cybersecurity Awareness Month stating that: “Cyber threats can affect every American, every business regardless of size, and every community. That’s why my administration is marshalling a whole-of-nation effort to confront cyber threats.”

Therefore, organizations, from private companies to government agencies, should prepare to effectively and efficiently keep pace with evolving Federal Government cybersecurity mandates and guidelines, which will surely continue in either a Harris or Trump Administration.

On one hand, such prioritizing is good news for those grappling with the problems associated with cybersecurity. Unfortunately, the frequency and magnitude of cyber-attacks are increasing at an exponential rate, which can make the task seem daunting. And even if fully achievable, 100% cybersecurity from a cost-benefit perspective would rarely, if ever, be justified—regardless of the advances in such technologies as AI.

Nonetheless, an organization can cost-effectively manage cyber risk. The Gordon-Loeb Model approach to cybersecurity investment decisions has been widely praised and cited by practitioners and academicians alike. 

Grounded in mathematics, but easy to understand and use, the model is designed to provide tailored insights for any organization with three major components: (1) an estimate of the maximum loss that could result from a successful cyber-attack, (2) an estimate of the probability that a successful cyber-attack will take place, and (3) an estimate of the way additional spending on cybersecurity-related activities will reduce the probability that a successful cyber-attack will occur.

Working effectively within this framework is achievable by following seven steps:

1) Identify cyber risk sources. These sources can be broken down into various categories.  There are internal and external threats, as well as potential vulnerabilities that are the basis for cyber risk. Identifying these threats and vulnerabilities is not only a logical place to start the process of managing an organization’s cyber risk, it also will help to frame an approach for addressing an organization’s cyber risk.

2) Estimate the likelihood (i.e., probability) of experiencing a breach. Of course, any single point estimate of the probability of a cyber breach is just that—an estimate of one possibility from a probability distribution. Thus, rather than estimating a single probability, a range of probabilities could be considered.

3) Estimate the maximum cost of a breach. Here again, a point estimate of the maximum cost resulting from a cyber-attack is just that—an estimate of one possible cost. Thus, rather than estimating a single cost, a range of costs could be considered.

4) Compute the expected loss to the organization if a breach occurs. This step involves multiplying the probability of a cyber breach (derived from Step 2) by the estimate of the maximum cost to the organization resulting from a cyber breach (derived from Step 3). Where a range of probabilities of potential cyber breaches is considered, and a range of potential costs associated with a cyber incident are estimated, a simulation around these numbers could be conducted to derive a more accurate estimate of the expected loss.

5) Consider how much your organization should invest in additional cybersecurity-related activities to reduce the probability (or range of probabilities) of a breach. This step entails comparing the additional benefits derived from reducing the expected loss from a cyber incident to the additional costs incurred due to an increased investment in cybersecurity. In other words, a cost-benefit analysis of the appropriate amount to invest in cybersecurity-related activities needs to be conducted. This step results in reducing an organization’s cyber risk at a cost. Alternatively, organizations can transfer some of their cyber risk at a cost (e.g., via cybersecurity insurance). Either way, the appropriate amount to spend on reducing and-or transferring cyber risk needs to be viewed from a cost-benefit perspective.

6) Have a recovery plan in place. Since 100% cybersecurity is neither technically possible nor economically desirable, organizations need to be prepared to respond to a cyber breach before experiencing such a breach. Two key ingredients to a successful recovery plan are flexibility and speed of response time.

7) Conduct a review of your organization’s process of managing cyber risk. If your organization experienced a cyber incident, it is important to fully understand how the cyber incident occurred, the damage caused, and the pros and cons of the response to the incident. Whether a cyber incident occurred or not, it is important to assess alternative ways the organization could improve its process of managing cyber risk. Most importantly, the review needs to be used as a learning tool for the next cycle of managing cyber risk.

Of course, the specifics associated with each step in the process will vary depending on a variety of organizational-specific factors. And although not a panacea, applying the Gordon-Loeb Model, combined with effective oversight of the entire process, provides an effective, cost-benefit framework for managing cyber risk.

Stay Ahead of the Financial Curve with Our Latest Fintech News Updates!