Cybersecurity and the "Return on Negligence"

In a recently released Fairplay/BIMCO/ABS maritime industry survey, nearly half of the 237 respondents reported that their company's annual cybersecurity budget is less than $10,000. Another quarter reported that the budget is between $10,000-50,000, and ten percent of the respondents spend more than $250,000.

While there was no correlation provided between the expenditure and size of the company, it does beg the question of how an organization makes its spending decisions. Priority, of course, is given to those line items for which we get the most "bang for the buck." We are constantly asked by our managers, "What are we getting for this expenditure?" This is, of course, an indirect way of asking us to determine the return-on-investment (ROI) on every check that goes out the door.

We typically evaluate ROI in quantitative terms. A classic approach applied to cybersecurity would be to identify exploitable vulnerabilities, determine the potential cost if the vulnerability were to be exploited, and estimate how often we expect such an exploit to actually happen. In more formal terms, the Annualized Loss Expectancy (ALE) is the product of the Single Loss Expectancy (SLE) times the Annual Rate of Occurrence (ARO).

We would then try to determine what defenses or mitigations can be put in place to lower the SLE and/or ARO, and compare the cost of these controls to the new ALE. If the defense cost is greater than the savings in ALE, we would reject implementing this solution. Put another way, spending $5,000 to gain a $3,000 saving is a bad financial idea while spending $5,000 to save $30,000 is a great idea.

In today's environment, this traditional approach to justifying cybersecurity spending is a dangerous proposition. The first problem is accurately quantifying the SLE and ARO in the first place. The fact is, we don't actually know the real costs of protecting ourselves in cyberspace and it's easy to not spend the $5,000 if you are able to convince yourself that your $30,000 asset isn't really at risk. Furthermore, we also need to consider intangibles such as reputation, customer and investor confidence, and the impact on supply chain partners as we try to quantify the asset value of loss.

But the ROI approach is an erroneous way to think about cybersecurity. Cybersecurity is not a tangible asset and shouldn't be evaluated as an investment. We should instead be thinking about the return-on-negligence (RON), or the cost of doing nothing. This is a hard sell in many quarters. Remember the money and hours spent to prepare systems for the Y2K rollover 20 years ago? And then the outcry that global Y2K mitigation had cost an estimated $300-500 billion and then nothing bad happened. There were pundits in the day actually arguing about how much less we might have spent to still have nothing bad happen, as if they were trying to quantify how much we overspent protecting our cyber assets. (By the way, have we heard much talk about the Year 2038 problem with embedded Linux systems or the next GPS Week Number Rollover Event in April 2019?)

Defending cyber assets is even more important and critical today than it was in the year 2000. So, what is the cost of doing nothing? Obviously, no company wants to be a headline for the wrong reasons. But besides embarrassment and a possible hit to customer confidence, there are real potential costs of a data breach, particularly as maritime organizations hold more and more personally identifiable information (PII), sensitive personal information (SPI), or personal health information (PHI). In a California law that goes into effect in 2020, for example, consumers may be able to sue a holder of information up to $750 for each breach of privacy, while the state attorney general can sue for intentional violations of privacy at up to $7,500 for each incident; this law will affect companies doing business in California that gross at least $25 million (or make more than 50% of their revenue by selling personal information), which would clearly include most maritime shipping lines as well as the large ports in that state. The EU's General Data Protection Regulation (GDPR) can place huge fines on any act deemed to be non-compliance, particularly if a breach can be shown to be due to negligence or the company has a history of personal data infringements; these fines can be up to €20 million or 4% of the company's global annual revenue.

And if these consequences are not sufficiently compelling, consider that the loss of intellectual property can put a company, particularly a manufacturer, out of business. And, most devastatingly, consider the potential impact on a shipping company or port if a cyberattack causes death, a very real possibility in the case of a vessel getting hacked.

Rather than approach cybersecurity as a return-on-investment, take the risk management approach. Ask questions such as: What are your cyber assets and where are the potential vulnerabilities? What is the likelihood of a vulnerability being exploited? What is the potential impact of an event? Note that you don't have to quantify these answers; in almost all cases, you can't accurately quantify them anyway. Triage your assets and vulnerabilities, and protect the most important ones first. You can't do everything at once, so make an orderly plan. And review the plan, update it, test it, and modify it, as necessary. There is a very old adage that there are no secure sites on the Internet, only vigilant ones.

One of the best cyber defenses is educating your employees as many attacks begin with some form of social engineering, or human manipulation. The users of your systems need to know what suspicious activity looks like and they need policies and procedures in place that encourage and support them when they question unusual events, such as out-of-the-ordinary requests that come in by email.

Many of the successful breaches in our industry have not even been targeted at any specific company; worms, ransomware, and other self-replicating malware merely move around the Internet finding systems that are susceptible, unpatched, or running out-of-date software (including the seemingly ubiquitous Windows XP). We need strong policies and procedures to ensure that every system is up-to-date, isolated, or removed from the network.

Advanced Persistent Threats (APTs) are a bigger concern. If an attacker is intent on breaking into a specific target, they will keep at it until they succeed. Vigilance is ever important and another reason that all employees need to know how to notice suspicious activity.

Information sharing with others in the industry is becoming more important than ever before. Groups such as the Maritime and Port Security Information Sharing and Analysis Organization (MPS-ISAO) are essential for industry members to help protect each other and ourselves.

We can no longer concentrate just on keeping the bad guys out. We have to acknowledge that even the very best prepared get breached. The cost of protection, then, has to also include forensic readiness, incident response, business continuity, remediation, and recovery.

Nothing here is meant to suggest that you should have an infinite cyberdefense budget and just throw money at the problem. Indeed, you need a plan, you need to do basic Security 101 correctly, and you need to be smart. Focus on what you can control. And don't apply traditional ROI thinking to a non-traditional problem.

Gary C. Kessler, Ph.D., CISSP is a professor of cybersecurity at Embry-Riddle Aeronautical University (ERAU) in Daytona Beach, holds a USCG MMC, and is a cybersecurity and digital forensics consultant and educator. More information can be found at https://garykessler.net.