Haruki Murakami had running on his mind when he wrote, "Pain is inevitable. Suffering is optional." For many in cybersecurity, the inevitability of painful security issues is followed by the suffering of finding the right language to fully describe the consequences. The question is whether there are accurate ways to talk about security pain without restricting the language to "dollars lost" and "records exposed."
When cybersecurity experts are asked whether dollars and records are enough to paint a full picture of the pain a breach or cyberattack inflicts, most say "no." Coming up with a consistent set of alternatives, though, is challenging.
"This is a difficult question because misery comes in many forms during a breach," says Bob Maley, chief security officer at NormShield. In addition, he asks, "How do you quantify misery?"
Some of the most common ways executives use to try to quantify their misery can be misleading, says Joseph Carson, chief security architect at Thycotic. "Every time there's a new data breach, we tend to focus on the wrong context. Sometimes the number of records is irrelevant," he maintains, explaining, "Not all data breaches are equal."
An example of a cybersecurity incident that's severe but difficult to measure with these two standard metrics is a credential breach at an online dating service.
Ameya Talwalkar, co-founder and chief product officer at Cequence, points out that these credentials could then be used to launch romance scams against the site's customers. The customers, who might be somewhat emotionally fragile to begin with, find someone, strike up a "relationship" and then have their trust broken when the new contact asks for money, receives it, then disappears.
"There's a significant unmeasured and un-talked about emotional toll there," says Talwalkar, followed by the victim's reluctance to continue using the site. It is impossible to measure the aggregate total of what might have been if not for a significant credential breach, he says, but it's still critically important to take such effects into account.
No records lost doesn't mean no cost
The case against using number of compromised records as one of the sole metrics for a cybersecurity event is strengthened when the event doesn't involve any records.
Mary Galligan, managing director of cyber risk services for Deloitte & Touche, says that attacks against operational systems cause pain, too. "A disruption to service or loss of service mean that there would be other metrics that would matter," she says.
Galligan continues, "You would have to take into account the cost of whether there is going to be an increase in my insurance premiums. Is there going to be a loss of customer relationships? Is there going to be lost contract revenue? Is my company's name going to be of less value in the marketplace?"
Another example: Talwalker described a small banking organization whose web-facing patient portal was hit by a bot swarm bent on credential stuffing. The problem wasn't that the attacks were being successful — it's that there were so many of them.
The bank, Talwalker says, had sized its application delivery infrastructure to comfortably handle a million session logins per day — a rate that seemed prudent given the company's customer base. The bots, though, began hitting the server with more than 40 million login attempts per day.
The result, he says, is that, "Your application becomes unavailable, which means your real customers are not able to do business by the application." And if the executives panic and order an infrastructure sized to handle the 40 million daily attempts, it means they've sized the system some 40 times larger than should be required — and paid a large price for doing so.
Being able to answer these difficult-to-quantify questions is especially important for companies that live within rigorous regulatory domains, Galligan says.
"If you're in financial services, it's the Fed or the FDIC saying, hey, we need to have standard definitions of the cyber risk." Other regulated industries, such as healthcare, have similar concerns with different regulators.
Galligan says that her meetings show her that the executive boards of companies both large and small are desperate to find ways to talk about cybersecurity pain, with or without metrics. She points to an existing cybersecurity framework that can help with the conversation.
"The majority of the companies and institutions are talking about it in the context of the NIST framework," Galligan says. The NIST Cybersecurity Framework is mandatory for most federal government departments and agencies to follow, and completely optional for private entities. In addition to prescriptive sections on how to protect various assets and parts of the infrastructure, the NIST Framework has standard labels and metrics that can be used in planning, post-mortems, and discussions with partners on cybersecurity.
Maley refers to the work of the FAIR cyber risk framework as one that can help organizations figure out the proper metrics and the most powerful ways to discuss them. The FAIR (Factor Analysis of Information Risk) framework has been adopted by thousands of organizations from Fortune 500 down to small companies that may not even have a dedicated cybersecurity team.
Regardless of the size or nature of the business, Gallager says that every board and IT team has something in common: "You're going to have to make these business decisions with incomplete or at times inaccurate information," she says. The sheer speed of cybersecurity incidents make them unlike any other consistent threat businesses have faced.
The result, she says, is, "...something that can't be quantified, and I don't know if it'll ever be able to be quantified -- the stress and the pressure and the long tail of the cyber breach that these executives go through."