Companies are making cybersecurity a greater priority

June 10, 2015

Companies are spending increasing amounts on cybersecurity tools, but aren't convinced their data is truly secure and many chief information security officers believe that attackers are gaining on their defenses, according to a new RAND Corporation study.

Charting the future of cybersecurity is difficult because so much is shrouded in secrecy, no one is entirely certain of all the methods malicious hackers use to infiltrate systems and businesses do not want to disclose their safety measures, according to the report.

While worldwide spending on cybersecurity is close to $70 billion a year and growing at 10 percent to 15 percent annually, many chief information security officers believe that hackers may gain the upper hand two to five years from now, requiring a continual cycle of development and implementation of stronger and more innovative defensive measures.

"Despite the pessimism in the field, we found that companies are paying a lot more attention to cybersecurity than they were even five years ago," said Martin Libicki, co-lead author of the study and senior management scientist at RAND, a nonprofit research organization. "Companies that didn't even have a chief information security officer five years ago have one now, and CEOs are more likely to listen to them. Core software is improving and new cybersecurity products continue to appear, which is likely to make a hacker's job more difficult and more expensive."

The RAND study draws on interviews with 18 chief information security officers and details the burgeoning world of cybersecurity products. It also reviews the relationship between software quality and the processes used to discover software vulnerabilities. Insights from these elements were used to develop a model that can shed light on the relationship between organizational choices and the cost of confronting cyberattacks.

"Companies know what they spend on cybersecurity, but quantifying what they save by preventing malicious attacks is much harder to tally," said Lillian Ablon, co-lead author of the report and a researcher at RAND. "In addition, malicious hackers can be extremely sophisticated, so costly measures to improve security beget countermeasures from hackers.

"Cybersecurity is a continual cycle of trying to eliminate weaknesses and out-think an attacker. Currently, the best that defenders can do is to make it expensive for the attackers in terms of money, time, resources and research."

Libicki and Ablon say several of the study's findings surprised them. They found that it was the effect of a cyberattack on reputation -- rather than direct costs -- that worried most chief information security officers. It matters less what actual data is affected than the fact that any data is put at risk.

However, the process of estimating those losses is not particularly comprehensive, and the ability to understand and articulate an organization's risk from network penetrations in a standard and consistent manner does not exist -- and may not exist for the foreseeable future.

RAND created a framework that portrays the struggle of organizations to minimize the cost arising from insecurity in cyberspace over a 10-year period. Those costs include the losses from cyberattack, the direct costs of training users, and the direct cost of buying and using cyber safety tools.

Additional costs also must be factored in, including the indirect costs associated with restrictions on employees using their personal devices on company networks and the indirect costs of air-gapping -- ensuring a computer network is physically isolated from unsecure networks. This is particularly true for sensitive sub-networks.

The RAND study includes recommendations for both organizations and policymakers. Organizations need to determine what needs to be protected and how badly, including what machines are on a company's network, what applications are running and what privileges have been established. Employees' desire to bring their own devices and connect them to the company network also can increase vulnerabilities.

Libicki said most of the chief information security officers who were interviewed were not interested in government efforts to improve cybersecurity. However, the RAND researchers believe government could play a useful role. For example, a government guide outlining how systems fail -- similar to guides for aviation and medical fields -- could help build a body of knowledge to help educate companies with the goal of developing higher levels of cybersecurity.
The study, "The Defender's Dilemma: Charting a Course Toward Cybersecurity," can be found at Timothy Webb also co-authored the report.

Support for the study was provided by Juniper Networks as part of a multiphase study on the future cybersecurity environment. The first study, "Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar," examined the cybercrime black markets.

The study was conducted within the Acquisition and Technology Policy Center of the RAND National Security Research Division. The division conducts research and analysis on defense and national security topics for the U.S. and allied defense, foreign policy, homeland security and intelligence communities and foundations and other nongovernmental organizations that support defense and national security analysis.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. To sign up for RAND e-mail alerts:

RAND is a registered trademark

RAND Corporation

Related Cybersecurity Articles from Brightsurf:

Computer scientists' new tool fools hackers into sharing keys for better cybersecurity
Instead of blocking hackers, a new cybersecurity defense approach developed by University of Texas at Dallas computer scientists actually welcomes them.

Cultural differences account for global gap in online regulation -- study
Differences in cultural values have led some countries to tackle the specter of cyber-attacks with increased internet regulation, whilst others have taken a 'hands-off' approach to online security -- a new study shows.

Study finds companies may be wise to share cybersecurity efforts
Research finds that when one company experiences a cybersecurity breach, other companies in the same field also become less attractive to investors.

$4.6 million award creates program to train cybersecurity professionals
A five-year, $4.63 million award from the National Science Foundation will enable a multi-disciplinary team of researchers at the University of Arkansas to create a program to recruit, educate and train the next generation of cybersecurity professionals.

First cyber agility framework to train officials developed to out-maneuver cyber attacks
To help train government and industry organizations on how to prevent cyberattacks, as part of a research project for the US Army, scientists at The University of Texas at San Antonio, developed the first framework to score the agility of cyber attackers and defenders.

Cyber of the fittest: Researchers develop first cyber agility framework to measure attacks
The framework proposed by the researchers will help government and industry organizations visualize how well they out-maneuver attacks over time.

Army researchers identify new way to improve cybersecurity
Researchers at the US Army Combat Capabilities Development Command's Army Research Laboratory, the Army's corporate research laboratory also known as ARL, and Towson University may have identified a new way to improve network security.

How susceptible are hospital employees to phishing attacks?
A multicenter study finds high click rate for simulated phishing emails, potential benefit in phishing awareness training.

A Georgia State cybersecurity study of the dark web exposes vulnerability to machine identities
A thriving marketplace for SSL and TLS certificates -- small data files used to facilitate confidential communication between organizations' servers and their clients' computers -- exists on a hidden part of the Internet, according to new research by Georgia State University's Evidence-Based Cybersecurity Research Group (EBCS) and the University of Surrey.

Army scientists revolutionize cybersecurity through quantum research
Army scientists have found a novel way to safeguard quantum information during transmission.

Read More: Cybersecurity News and Cybersecurity Current Events is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to