Michael Lewis coined the term, Moneyball, in his eponymous book published in 2003 and made into a movie in 2011 starring Brad Pitt. Moneyball was about applying analytics to baseball. Billy Beane, the Oakland Athletics General Manager, was the first baseball executive to use analytics to increase the probability of winning games.
Baseball is obviously about the players and constrained budgets. So Beane’s goal was to use analytics to create a better roster of players.
The analytics the Athletics developed were new and contradicted all the “rules-of-thumb” baseball scouts used to select players for over 100 years.
Moneyball for cybersecurity is about applying analytics to cybersecurity to reduce the probability of material financial impact due to cyber-related loss events.
Cybersecurity is about controls – people, processes, and technologies – constrained by budgets and resources. So the objective is to create a better portfolio of controls and to improve collaboration with the business leaders who set cybersecurity budgets.
This requires a new analytical approach that calculates and visualizes the aggregate effectiveness of an organization’s control portfolio across the cyber-related loss events of greatest concern to business leaders. In other words, visualize cyber defenses in dollars.
It can be misleading to project the risk reduction value of a control improvement based on evaluating it in isolation. Yet we do this all the time. Risk reduction is about how a proposed control improvement will work in concert with the other deployed controls.
There is a cybersecurity paradox. Overall cybersecurity spending increases every year. New frameworks are published, and older ones are updated. In addition, various government agencies are pressuring organizations to improve their cyber postures.
Despite these efforts, the number and financial impact of cyber-related loss events continue to increase.
Some say it’s due to the increasing pace of digital transformation. Others say it’s due to the increase in remote work and cloud computing. Still others say it’s due to a lack of trained cybersecurity professionals.
While those factors may contribute, two issues are more fundamental – prioritizing control investments and justifying cybersecurity budget proposals.
A control’s performance when evaluated in isolation does not indicate how effective it will be in reducing risk when deployed in concert with all the other controls. This makes it difficult to select which control improvements should be funded and which should not.
The underlying issue is the complexity of cybersecurity. Organizations deploy dozens of controls. There are hundreds of threat types as defined by MITRE ATT&CK®. There are hundreds to thousands of overlapping and intertwined attack paths into and through an organization’s IT/OT estate.
Therefore, each loss event scenario involves thousands of overlapping end-to-end kill chains. Adding to the complexity, many controls appear on many kill chains and many controls appear in multiple loss event scenarios.
In addition, it’s difficult to compare controls across different IT domains. How do you compare the value of a network control to an endpoint control? How do you compare the value of identity and access controls to malware detection controls? How do you compare left-of-bang to right-of-bang controls?
Security leaders often have difficulty justifying proposed control investments to the business leaders who set cybersecurity budgets due to the security metrics – business risk gap. Security teams use a wide range of technical metrics to monitor control performance that business leaders do not understand.
Business leaders know that cyber risk is business risk. Business leaders want to manage cyber risk as they do other strategic risks. They are frustrated by the difficulties of collaborating with security leaders who don’t speak their language – money.
Business leaders want to know how control investments will reduce the probability of material financial impact due to cyber loss events. To get their budget requests approved, security leaders need a credible approach to bridge the security metrics – business risk gap.
Monaco Risk’s advisory services use its patented Cyber Defense Graph™ to make Moneyball for Cybersecurity useful to security teams and credible to business leaders.
Monaco Risk’s Cyber Defense Graph statistical simulation solves the exponential kill chain problem described above. All of the kill chains related to a loss event scenario are analyzed together taking into consideration the capabilities, coverage, and governance of the controls involved.
Figure 1: This is an example of Monaco Risk's modular Cyber Defense Graph™. Threats enter from the left. Threats move along attack paths shown as arrows. Controls are shown as boxes. Loss events result from threats that are not blocked by controls. Click image to enlarge.
The resulting kill graphs display the critical path weaknesses into and through the organization’s IT/OT estate.
We generate tornado charts to show each control’s current and potential contribution to the aggregate effectiveness of the control portfolio.
Figure 2: Tornado Chart example showing the contribution of individual controls to "aggregate control effectiveness." Click image to enlarge.
In addition, we aggregate control effectiveness across multiple kill graphs.
In addition, we have developed a set of standardized control parameters that enables the Cyber Defense Graph software to compare the risk reduction value of disparate types of controls. We can compare network controls to host controls, identity/access to malware prevention controls, and left-of-bang to right-of-bang controls.
This improves the decision-making process for prioritizing control selection by showing how alternative control improvements will reduce the probability of material financial impact due to cyber-related loss events.
Better collaboration with business leaders who set cybersecurity budgets hinges on bridging the security metrics – business risk gap. The Cyber Defense Graph enables credible business risk reduction analysis, in dollars, of alternative control investments.
We generate Loss Exceedance Curve charts to show the potentially catastrophic nature of cyber-related loss events. These charts also show, in dollars, how alternative control improvements reduce the probability of material financial impact of loss events.
Figure 3: This example of a Loss Exceedance Curve chart shows how selected alternative control improvements will reduce the probabilities of dollar losses exceeding three thresholds shown as vertical lines. Click image to enlarge.
Simply claiming a particular control improvement will reduce risk by X% is not sufficient. As my teachers used to say, “Show me the work!” What are your underlying assumptions? Have you evaluated lower-cost controls? How do they compare to the ones you are proposing?
Are there any controls we can eliminate to save money? Can we negotiate lower prices on controls we need for compliance but don’t significantly reduce the risk of a cyber event?
I am not the first to use the Moneyball analogy for cybersecurity. It has been used to focus on cybersecurity workforce development. Since Moneyball was about player selection, clearly Moneyball can and should be applied to cybersecurity team selection and development.
We take Moneyball a step further by applying it to processes and technologies as well as people, i.e. all controls. It was also used by a cyber insurance company.
Let me know what you think!