As companies become more reliant on modern technology, they also have to face more vulnerabilities that must be handled efficiently. For most companies, it is obvious that adequate cybersecurity safeguards must be selected and implemented. In these processes, the trade-off between benefits and costs should always be considered. However, some costs can be quickly overlooked. Because costs may be overlooked, every decision maker who is responsible for selecting safeguards should be familiar with all relevant costs, including costs that are not obvious.
On one hand, cybersecurity safeguards are strongly related to costs because money and other resources are needed for appropriate solutions. On the other hand, missing safeguards can lead to breaches and subsequent countermeasures that induce even higher costs. In one way or another, various costs must be considered.
Safeguards can induce costs of decision making, costs of planning, initial investment costs, operation costs and maintenance costs. Additionally, opportunity costs should be considered. The following should be taken into consideration when selecting safeguards:
- The costs of decision making have to be covered for all steps—from problem identification to alternative selection. Generally, the decision maker and other experts have to invest much time and effort to find a proper solution.
- The costs of planning are induced by designing the solution and finding a systematic approach for implementing it.
- The initial investment costs are related to purchasing and implementing the safeguard. They include expenses regarding hardware, software, infrastructure, organizational costs and labor costs.
- All actions that ensure the continuous operation of the implemented safeguard and uphold the protection level lead to operation costs.
- Maintenance costs occur if safeguards have to be changed to eliminate actual or potential errors, achieve improvements or adapt to new environmental factors.
- In general, opportunity costs are always incurred when capital is invested. Capital that is invested in a safeguard is bound to a specific purpose and cannot be used for other purposes with higher profits. The difference between safeguard profits and alternative profits determines the amount of opportunity costs.
Breaches are often critical for a company because the confidentiality, integrity or availability of important data or systems have been impaired. This can lead to tremendous costs, including significant financial and nonfinancial damages. These costs can be divided into internal and external costs.
After a breach has occurred, some tasks are highly recommended. Internal costs are related to these tasks that the company performs with company resources. Primarily, they include detection, escalation, organization, containment, investigation and correction. In most cases, time is of the essence and the tasks should be performed as soon as possible.
External costs are caused by external factors that are part of the breach or direct consequences of it. These factors are mostly the compromise, manipulation, process disruption, asset damage and revenue loss. Reputational damage, which might significantly affect future revenues, can also be possible.
Read Stefan Beissel’s recent ISACA Journal article:
“A Critical Perspective on Safeguard Selection Processes,” ISACA Journal, volume 5, 2016.