A Visual Tool for the Analysis of Cybersecurity Investments

As businesses strengthen their digital dependency, they also become more vulnerable to cyber threats. Therefore, besides the need for speed innovation, decision-makers in cybersecurity (e.g., network operator, company owner, or an expert team) have to be able to implement robust cybersecurity mechanisms while managing costs and risks associated with the business. Decision-making is usually defined as the activities involving phases of problem recognition, search for information, the definition of alternatives, and the selection of a list of ranked preferences [1]. During the cybersecurity planning, such activities involve (a) identify cybersecurity risks and associated costs, (b) determine impacts of cybersecurity in the business or service, (c) understand the business requirements and budget available for protection. Based on that, it is possible to estimate the overall impacts (e.g., financial loss occasioned by a business disruption) in order to decide whether and how much to invest in cybersecurity.  Such an overall estimation can be done using different approaches. For instance, the Return Over Security Investments (ROSI) [2] offers a benchmark to determine when a specific investment in cybersecurity is recommended based on the potential financial loss given an assessed risk.

Thus, decision-makers have to decide how to handle a possible or imminent threat. Between the different choices, the decision-maker can (a) determine a plan to prevent cyberattacks and its impacts proactively, (b) react against an imminent cyberattack, or (c) assume the risks, paying for the damage or delegating that to third-parties (e.g., cyber insurers). In general, if an attack happens, prevention is cheaper than react when an attack already surpassed the infrastructures. If the companies do not invest correctly in cybersecurity, the security of its operation depends on luck, and the impacts of attacks can be devastating, which is not acceptable by one that has a reputation to maintain [3].

This thesis aims to develop a visual tool (i.e., web-based interface) that provides mechanisms where decision-makers can analyze important aspects related to when or where investing money directly related to cybersecurity. Different metrics and information [4] might be considered or proposed in order to provide insights to guide an adequate investment in cybersecurity. Besides, other visual resources might be explored in order to provide an overview of the business and its risks involved (e.g., calculate losses because of business disruption and estimative of the impact of different types of cyberattacks). 

References:

[1] K. M. Eisenhardt, M. J. Zbaracki: Strategic Decision Making; Strategic Management Journal, 1992, Vol. 13, pp. 17–37 

[2] W. Sonnenreich, J. Albanese, B. Stout: Return On Security Investment (ROSI) - A Practical Quantitative Model; Journal of Research and practice in Information Technology, Vol. 38, 2006, pp. 45–52.

[3] B. Rodrigues, M. F. Franco, G. Paranghi, B. Stiller: SEConomy: A Framework for the Economic Assessment of Cybersecurity; 16th International Conference on the Economics of Grids, Clouds, Systems, and Services (GECON 2019), Springer, Leeds, UK, pp. 1–9. 

[4] G. Moraetes: Things to Consider When Calculating the Return on Security Investment, 2017, [Online] https://securityintelligence.com/things-to-consider-when-calculating-the-return-on-security-investment/, last visit January 2020.