Cybersecurity Risk’s “New Math”

Mary K. Pratt posted an article, “The new math of cybersecurity value,” on CSOonline on September 21, 2021, available at The new math of cybersecurity value | CSO Online   It is a good article that brings up longstanding issues with security metrics, but it is by no means “new.”

I published at article, “Accounting for Value and Uncertainty in Security Metrics,” in the ISACA Information Systems Control Journal of November 2008. The article won ISACA’s 2009 Michael P. Cangemi Best Book/Best Article Award. My article, which is available at Accounting for Value and Uncertainty in Security Metrics (researchgate.net), actually went beyond Pratt’s post in that it advocates bringing uncertainty—in the form of probability distributions—into the equation. No matter. The important thing is that Pratt focusses on the subject and encourages cybersecurity professionals to take a broader view of the impact of cybersecurity investments on business risk.

Indeed, my very first BlogInfoSec posts, in March 2008 (more than 13 years ago!) were titled “ROSI: Security Returns” and “Metrics: A Measure of Security.” A couple of months later, in May 2008, I posted two columns titled “A Return to ROSI: The Economics of Security” and “Metrics Revisited—Application Security Metrics.”

The prior year, I published a chapter in Managing Information Assurance in Financial Services  edited by H.R Rao, Manish Gupta and Shambhu Upadhyaya (IGI Global, 2007) with the title “Analyzing Risks to Determine a New Return on Security Investment: Optimizing Security in an Escalating Threat Environment,” This was followed, a few years later, by a chapter, “Dynamic Cyber Security Economic Model: Incorporating Value Functions for All Involved Parties,” in Threats, Countermeasures and Advances in Applied Information Security, edited by Manish Gupta et al, (IGI Global, 2012).

Okay. So, what’s the point here? The point is that considering value with respect to cybersecurity metrics is not new, but it is stll difficult to deal with as one has to get into the motivations and biases of each and every player. These are highly subjective, and are very difficult to measure and analyze. I should know as I have been researching the topic for more than a decade and am still looking for answers.

The bottom line is that it is gratifying to see others taking on the subject, even though there is still a long way to go—and the finish line keeps moving further away as new technologes come onto the scene.

*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2021/10/18/cybersecurity-risks-new-math/?utm_source=rss&utm_medium=rss&utm_campaign=cybersecurity-risks-new-math