(23a) Cybersecurity: How Much Is Enough?

Advice on costs and benefits of a cyber security program is confusing and contradictory. For example, it is common to hear comments throughout the industry such as: security is pure cost, that there must be a ROI for each security investment, none of the risk calculations are quantitative to list just a few. Even more confusing to business leaders: it is always possible to be more secure, or less secure. How then, to evaluate cyber security funding requests? How can anyone ever know how much is enough? We explore the question “how much is enough” and draw some simple conclusions. We discuss how classic “natural disaster” risk models are poor fits to physical or cyber security problems. A good understanding of the characteristics of control system networks, industrial processes, safety systems, protection systems, security systems and attack capabilities are all prerequisites to an effective risk assessment. Assembling all this knowledge and these costs into a simple matrix for business leaders to understand and evaluate is very much possible. Join us to review approaches to risks, calculations, costs, and understand how to communicate these to business decision-makers.