How much should companies spend on bolstering their cyber defences? Lawrence Gordon and Martin Loeb, both professors of accounting at the University of Maryland’s Smith School, are co-authors of an established model that helps companies to evaluate the best way to allocate their financial resources.
Companies with limited resources need to strike a balance between spending money on security and expenditure elsewhere. “At some point, the marginal benefits of spending on cybersecurity are reached,” Prof Gordon says.
Calculating the gains associated with increased security is problematic, given that cybersecurity is a cost-saving – rather than revenue-generating – project. “If you do the job right, you don’t see the benefits,” adds Prof Gordon. Estimates of losses or liabilities must be considered only when weighed against the likelihood of a cyber attack, he continues.
Their body of research – including a 2011 article in the Journal of Computer Security – has found that companies should focus their investment on protecting information relating to the greatest potential loss, rather than necessarily protecting the most vulnerable material.
The framework also illustrates that it is generally not worthwhile for companies to spend more than 37 per cent of the projected losses from any given cyber security breach on defences. “The savings [from limiting security spending] are often greater than the value of potential losses,” Prof Gordon concludes.
Their research has received funding from the National Security Agency in the US and the Department of Homeland Security awarded the pair a $666,000 grant at the end of last year.
According to Prof Gordon, this support stems from federal government concerns that private companies – which manage the majority of the country’s infrastructure – are not investing sufficient resources to counter growing online threats.