Cyber Security – Know Your ROI
Making the Business Case
for Cyber Security
By Netta Schmeidler,
VP Product at Morphisec
©Morphisec, 2016 | All rights reserved.
What’s Inside?
It may seem counterintuitive to talk about ROI and cyber security.
After all, security doesn’t create earnings. But while security may
not contribute revenue, loss prevention certainly impacts a
company's bottom line. Cost avoidance is the implicit ROI of
cyber security.
Table of Contents
1: Costs of Cyberattacks on
the Rise
2: The Time-Cost Relationship
3: Phase One: Before the Attack Precautionary Measures
How much money can cyber security save your organization? The
ultimate answer to this question is “it depends.”
3. 1: Patching: An Infinite Process
It depends on how much a cyber attack would have cost your
organization, which in turn depends on which system was
attacked, what data was leaked, who was affected, and most
importantly, how quickly the attack was brought under control.
4: Phase Two: Internal Disruption Analyzing a Suspected Compromise
Every cyber attack – whether targeted or non-targeted – costs
the attacked organization dearly. In this ebook we describe those
costs, and how a majority of the expenses can be avoided.
Investments in your organization’s security should stand up to
the same scrutiny as all your business goals. This ebook shows
how to calculate the implicit ROI of your organization’s cyber
security initiatives.
Read on!
3. 2: The Costs of Patching
4. 1: The Costs of Internal Disruptions
5: Phase Three: Post Attack - The
Highest Price Tag
6: Attack Prevention or: How to Reap
the Highest Implicit ROI
7: Take-A-Ways
8: How Morphisec Can Help
9: About the Author
10: About Morphisec
1
1: Costs of Cyberattacks on the Rise
To calculate the cost of attacks on your
organization, you need to consider both the
tangible costs – actual money spent on
containment and repair – as well as intangible
costs such as operational disruption, brand
damage, lost revenue and compromised assets.
Oftentimes the intangibles exact a heavier toll on
your enterprise than tangible expenses.
Cyber criminals are upping both the number and
the severity of their attacks. In its Global State of
Information Security® Survey 2016, PwC found a
38% increase in incidents detected in 2015 over
2014, with theft of hard intellectual property
increasing by an astounding 56%.
This is up 13.9 percent (as measured in local
currencies) over 2014, according to the Ponemon
Institute’s 2015 Cost of Cyber Crime Study. And
while the larger the organization, the greater the
total breach cost, small organizations actually
incur much higher per capita costs at $1,388 per
seat vs. $431.
Insurance giant Lloyd’s estimates that cyberattacks cost companies $400 billion every year.
Finally, Cybersecurity Ventures predicts
cybercrime will cost $6 trillion annually by 2021.
During 2015, businesses fell victim to an average
of 1.9 successful cyber attacks per week, racking
up annual costs of $7.7 million.
2
2: The Time Cost Relationship
Cyber attacks can be divided into three major phases – before an attack, while under attack and disruptions
after the attack. Of course the two later phases may overlap, but for the purpose of this analysis we will treat
them separately. The phases roughly correlate with the Cyber kill chain stages , but from the point of view of
the organization rather than the attack. As we will show, there is a steeply increasing relationship between the
time to contain an attack and organizational cost.
Attack Timeline
Before the attack –
Under attack Internal Disruptions
Precautionary
Measures
Attack
starts
Attack alert
received via
detection tools
Post attack –
External Disruptions
Attack
confirmed
by analyst
3
3: Phase One:
Before the Attack Precautionary Measures
3.1: Patching: An Infinite Process
The complexity and often time-critical nature of
even predictable patching places a significant
burden on IT operations. It consigns your IT team
to a reactive state, forcing them to continually play
catch-up whether or not a vulnerability is actually
Organizations employ many precautions and
actions in the attempt to block cyber attacks. Such
measures can require significant time and
resources to implement as well as maintain. This
class of tools includes end point security solutions
such as anti-virus, protection and detection
systems as well as gateway solutions.
Every enterprise includes software patching as
part of its security system to some extent.
Because of its widespread use and marked impact
on business processes, we will examine patching
as an example of direct and indirect costs to your
organization.
exploited. Many organizations consider patching
resource-intensive and ineffective, yet perform it on
some level both for regulatory reasons and to avoid
extended risk.
 Patching consists of the following steps:
 Obtaining the patch from a trusted party and
validating patch and source integrity
 Testing the patch to ensure the vulnerability is
remediated and the patch will not break other
applications – a lengthy and laborious process
 Notifying affected parties of unscheduled
downtime if needed
 Patch deployment
 Post-deployment operational efficiency testing
 Rollback and remediation if needed
4
3.2: The Costs of Patching
To calculate how much patching costs your organization per year, use the following formula:
Total Annual Patching Cost = [(Cost of Patching Event) * (Number of Patching Events)] + [(Prepare and
Detect Costs) * (Number of Reported Vulnerabilities)] + (Total Annual Ongoing Costs)
If you want to get to a more precise figure, take the real costs into account:
Cost of Patching Event = (Fully Burdened Hourly Rate) * (Hourly Effort)
Total Annual Ongoing Costs should include the cost of your Patch Management tools, contained in the above
formula as “preparation and detection costs.” Using such tools, the hourly effort of end point patching is
estimated at around eight hours per system per year, a total that includes assessment, assembly and testing,
deployment, failure resolution and helpdesk.
Numbers may vary, but with a total of 10 yearly patches on average, the costs for patching can reach
several million dollars for a sizeable organization. And 10 yearly patches is a vast underestimation.
Patching comes with a low ROI given its costliness and minimal effectiveness.
5
4: Phase 2 - Internal Disruption: Analyzing
a Suspected Compromise
The period of internal disruption is defined as the
time between the moment your organization is
notified of a potential attack and the time the
attack is confirmed. The notification of an attack
may occur in the following ways:
 Malware detection software sends multiple
alerts to the organizational SIEM and the alerts
pass the level defined for a potential attack by
your organization. Usually this marks the
beginning of a forensic analysis process, which
ends as soon as the attack is confirmed.
 A direct manifestation of an attack, e.g.
ransomware locks the machines and a ransom
demand is posted. Such an occurrence is
usually very close in time to the beginning of the
attack – minutes to hours. The time period is
then extended until ransom is paid and further
on – until the organization believes all remnants
of the attack had been take care of.
 Indirect manifestations of an attack, e.g.
proprietary documents get leaked. Occurrences
such as these can be seen weeks or even
months after the initial attack. In this case the
organization goes into security alert mode upon
notification of the attack, however quarantine is
usually partial, in the understanding that the
organization is already compromised.
 An update to the anti-virus (AV) or similar
system enters a new signature or pattern in the
system’s repository, and the system discovers
the signature in one or more of the
organization’s end points. There is no clear
indication that an attack was activated, so there
is usually no business quarantine, but forensic
analysis may be performed to understand
internal ramifications, and patching level may
be heightened.
6
4.1: The Costs of Internal Disruptions
Costs during this phase include forensic efforts as well as the business loss due to quarantine and system
downtime.
Forensic Analysis
Quarantine and Loss of Business
Forensic analysis comes into play when there is a
suspicion of an attack, through any of the
previously described routes.
During the attack containment phase, some or all
Such analysis helps an organization understand
whether an attack occurred, contain it as much as
possible, assess its business implications and see
how to avoid a similar attack in the future.
Associated costs primarily consist of the salaries
for internal forensic analysts or fees of external
experts. These costs of course are greater the
longer the analysis phase takes.
Often an analysis concludes that no attack
occurred. It is estimated that organizations spend
over two thirds of their time and forensic budget
on such false positives.
levels of the organization may be affected. Any
system even suspected of being affected must be
quarantined until cleared. In ransomware attacks,
data becomes inaccessible.
Clearly, the longer the organization remains
quarantined, the higher the organizational costs.
Impacted are:
 Employees, who are unable to work when
machines are quarantined.
 C-suite and management, who are unable to
conduct business without machines and
especially without data.
 Servers, that are unable to run business
applications. Most organizations can quantify
the cost of a loss of each business hour per
server.
7
5: Phase Three: Post Attack The Highest Price Tag
Including both tangible and intangible
components, costs at the post-stage are the
greatest in the attack lifecycle. If a cyber attack
reaches this late stage of breach, the implicit ROI
of any security solution is very low, since
exceptional internal and external efforts are
required to overcome the attack.
Costs attributed to the Post Attack phase are:
 Loss of Business and Reputation Damage: If
an attack on your organization hits the
headlines, it can drive away prospects and
customers. Cost calculations should include :
 Customer Churn – the assessed number
of customers who will terminate their
relationship as a result of the attack.
 Reduced customer acquisition – the
assessed number of prospects who will
drop out of the sales cycle or refuse to
initiate a relationship with your
organization because of the attack.
 Ransom Paid: In case of ransomware,
organizations often prefer to pay the ransom in
order to avoid negative publicity and loss of
reputation and business.
 Financial losses for employees or customers:
Employees’ or customers’ personal and
financial details may be stolen, sold or
published as a result of an attack. Affected
persons need to take precautions, cancel
payments and credit cards. Your organization
will have to reimburse employees and
compensate customers.
 Data Recovery: Attacks often cause data loss,
requiring lengthy and costly recovery
operations. In some cases data is not fully
recovered and the loss of information creates
severe business disruption. While data recovery
costs can be quantified, it is harder to gauge the
cost of lost information.
8
 Business Disruptions: External remediation
causes additional work to be performed and
processes to be set up, such as:

C-suite: Your executives spend time
and resources in PR-related activities

Customer support: Your customer
support representatives spend vast
amounts of time explaining the attack
and its ramifications to customers.
Most organizations can quantify these
expenses using the internal ticketing
system.

Legal Process: Needed for customer
compensation and employee
reimbursements as well as assessing
liability. In addition, some organizations
are fined over regulatory issues
discovered.
9
6: Attack Prevention
Or: How to Reap the Highest Implicit ROI
THE FASTER THE BETTER
ELIMINATING FALSE POSITIVES
To achieve the highest implicit ROI, you must aim
to avoid the majority of the costs associated with
a cyber breach.
Reducing the period of internal disruption will also
Looking at all of the cost calculations, it is easy to
see that cyber security measures bring you the
greatest ROI in the prevention phase. Research
sponsored by IBM and independently conducted
by Ponemon Institute LLC in May 2015 found a
clear relationship between how quickly an
organization can identify and contain data breach
incidents and financial consequences. Costs rise
the longer the internal disruption period extends. If
an attack is stopped as it occurs, early in the kill
chain, this time period is reduced to zero and no
costs are incurred.
add to your ROI on cyber security. This comes
starkly into focus when we consider the high cost
of analyzing false positives.
This is where the difference between deterministic
and heuristic protection and detection methods
comes into play:
 With a heuristic method you get a probabilistic
indication of an attack, and need to invest
investigative efforts to corroborate or refute this
assumption.
 Deterministic methods, however, clearly notify
you that an attack has occurred and no further
analysis is needed.
10
7. Take-A-Ways
Cyber threats are as diverse as the organizations they aim to penetrate. Security countermeasures against
those threats should be held to the same standards as all business decisions: whether the benefits outweigh
the costs.
Calculating the implicit ROI of a particular cyber security measure can be challenging, but all evidence
demonstrates that the earlier you break the kill chain, the greater your cost avoidance. Preventing a threat
from ever penetrating your organization translates into zero costs other than the cost of the prevention
mechanism itself. Once a breach occurs, costs balloon due to the time and expense of analyzing and then
remediating the threat.
Phase
Costs
Implicit ROI of protection at this
stage
Pre-Attack
Security solutions and Patching
costs.
Medium: Patching cycles can be
stretched out when using
Protection technologies.
Internal Disruption phase:
Between detecting an attack and
confirming it
 Forensic analysis
 Business disruption for
quarantine, until attack is
confirmed.
High: All costs are avoided if this
time period is 0 when using
deterministic prevention tools.
Post-Attack





Customer turnover
Reduced customer acquisition
Legal
Ransomware
Employees
Low: Involves high costs which
could have been avoided if attack
was stopped earlier in the kill
chain. Some still incurred if attack
was detected post-attack.
11
8: How Morphisec Can Help
Morphisec provides powerful software for enterprises concerned with advanced threats, zero-days, exploits,
evasive malware, or protection gaps due to patching delays. It protects enterprise endpoints at the earliest
stage of a cyber attack, using Moving Target Defense technology to effectively conceal vulnerabilities from
attackers. Its polymorphic engine scrambles the application’s runtime environment, randomly and without
any trace, every time an application is loaded, making the memory space unpredictable to attackers.
Detection
Post Breach
Costs
Morphisec
Exploit
Infiltration
Reconnaissance
Persistence
Collection
Exfiltration
Stages of Targeted Attacks
12
About the Author: Netta Schmeidler
Netta Schmeidler, VP Product at Morphisec, has
more than 25 years of experience delivering
complex enterprise applications and managing
global development groups and product teams.
Her broad expertise includes all aspects of
defining, building and successfully bringing
solutions to market, with special emphasis on IT
cost-benefit analyses.
Prior to Morphisec, Netta held senior product
management and engineering roles at VMware
(Digital Fuel), BMC, Identify Software, and Mercury.
She received an MBA from Tel Aviv University, and
a BSc in Computer Science from Hebrew
University.
Connect via LinkedIn
13
About Morphisec
Emerging from the national cybersecurity center
and from some of the sharpest cybersecurity
minds in Israel, Morphisec provides the ultimate in
threat prevention by making sure attackers never
find the targets they seek.
Morphisec’s Moving Target Defense technology
Morphisec terminates the kill chain at its very
onset, stopping and neutralizing zero-days,
advanced attacks, evasive file-based and file-less
malware, ransomware, APTs and web-borne
exploits before they can do any damage.
Morphisec fundamentally alters the cybersecurity
Morphisec ETP prevents attack in real time, before
any malware can execute. A security stack with
Morphisec provides adequate protection alongside
operational efficiency – no agents bloat, lower
level of compatibility issues, low CPU drain, low
level of false alerts, and low remediation costs.
trace, every time an application is loaded, making
camouflages your applications and web browsers
and traps any attempts at access. Your endpoints,
once a site of weakness, become an impenetrable
defense.
landscape with its moving target defense, which
keeps defenders consistently ahead of attacks.
Its polymorphic engine scrambles the application’s
runtime environment, randomly and without any
the memory space unpredictable to attackers.
Morphisec prevents advanced, evasive attacks,
and does so in a deterministic manner, with no
false positives, via a lightweight, 1MB agent
requiring no administration.
Counter the terror of advanced cyberattacks:
Schedule a demo with Morphisec today!
14