Information security costs. Direct and indirect costs for protecting enterprise information. Information security budget: the share is growing, the “pie” is shrinking

Global Risk Study information security for business (Kaspersky Lab Global Corporate IT Security Risks Survey) is an annual analysis of trends in corporate information security around the world. We look at such important aspects of cybersecurity as the cost of information security, the current types of threats for different types of companies, and the financial consequences of encountering these threats. In addition, by learning from executives about information security budgeting principles, we can see how companies in different regions of the world are responding to changes in the threat landscape.

In 2017, we sought to understand whether companies are seeing information security as a cost factor (a necessary evil for which they are forced to allocate money) or are beginning to consider it a strategic investment (that is, a means of ensuring business continuity that provides significant benefits in an era of rapidly evolving cyber threats).

This is a very important question, especially since IT budgets have been declining in most regions of the world.

In Russia, however, in 2017 there was a slight increase in the average budget allocated to security – 2%. The average information security budget in Russia was about 15.4 million rubles.

This report takes a closer look at the types of threats facing companies of all sizes, as well as the typical patterns of IT spend.

General information and research methodology

The global Kaspersky Lab Corporate IT Security Risks Survey is a survey of executives managing the IT services of their organizations, which has been conducted annually since 2011.

The most recent data was collected in March and April 2017. A total of 5,274 respondents from more than 30 countries were surveyed, covering companies of all sizes.

The report sometimes uses the following designations: small business - less than 50 employees, SMB (medium and small business - from 50 to 250 employees) and large business (companies with more than 250 employees). The current report presents an analysis of the most revealing parameters from the survey.

Main conclusions:

It's becoming more difficult for companies of all sizes to combat cyber threats, and defense costs are also rising. In Russia, in the segment of medium and small businesses, the average cost of eliminating the consequences of just one cyber incident is 1.6 million rubles, and for the large business segment the costs are 16.1 million rubles.

The share of the IT budget allocated to information security is growing. This is typical for companies of any size. The total budget remains low, and in Russia the growth was only 2%, so specialists are forced to carry out their tasks with few resources.

The damage from a single incident is growing, and companies that do not prioritize information security costs could soon find themselves in serious trouble. The study showed that in the SMB segment, companies spend about 300 thousand rubles for each security incident on additional payments to staff, and large corporations can spend 2.7 million rubles to reduce damage to the brand.

Damage from security incidents

The damage from cybersecurity incidents is constantly growing: companies have to deal with a variety of consequences, from extra work with the public before hiring new employees. In 2017, there was a further increase in financial losses in the event of data integrity violations. This should change the way companies approach this issue: companies will stop seeing cybersecurity costs as a necessary evil and will begin to see them as investments that will allow them to avoid significant financial losses in the event of an attack.

Serious data breaches are increasingly costly

The biggest concern for CTOs is massive attacks that result in millions of records being leaked. Such were attacks on the National Health Service (NHS) of Great Britain, Sony, or the hacking of the HBO television channel with the release of confidential data related to the series “Game of Thrones”. However, in reality, such major incidents are the exception rather than the rule. Until last year, most cyberattacks did not make the news headlines and remained the province of special reports for specialists. Of course, ransomware epidemics have changed the situation a little, but still the corporate segment of the business does not understand the whole picture.

The relatively small number of known large-scale cyber attacks does not mean that the damage from most attacks is insignificant. So, how much do companies spend on average to resolve a “typical” data breach? We asked study participants to estimate how much their company spent/lost as a result of any security incident that occurred in the last year.

All companies with 50 or more employees were required to estimate the costs incurred in each of the following categories:

For each of the categories, we calculated the average costs incurred by companies faced with information security incidents, and the sum of all categories allowed us to estimate the amount of total damage caused by an information security incident.

Below we present separately the results for the SMB and large business segments, since the statistics for them differ in many ways. For example, the average damage for Russian SMB companies is almost 1.6 million rubles, and for large businesses it is almost ten times higher - 16.1 million rubles. This shows that cyber attacks are costly for companies of all sizes.

The fact that large businesses, on average, suffer more losses when data integrity is violated is not surprising, but it is interesting to analyze the distribution of damage by category.

Last year, additional employee benefits were the most significant expense item for both SMBs and large businesses. However, this year the picture has changed, and companies of different sizes have different main expense items. Small and medium-sized businesses continue to lose the most on employee benefits. But large businesses began to invest in additional PR to reduce damage to the brand’s reputation. In addition, a significant cost item for large businesses was the cost of improving technical equipment and purchasing additional software.

For all companies, employee training costs have increased. Security incidents often make companies realize the importance of increasing cyber literacy and improving threat intelligence.

The more extensive internal resources of large companies and the peculiarities of regulation of their activities determine a different balance between the costs of eliminating the threat itself and the costs of compensating for damage. A serious expense item was the increase in insurance premiums, the deterioration of credit ratings and the erosion of trust in the company: on average, after each incident, large companies lose about 2.3 million rubles from this.

Our research showed that much of the increase in company costs was driven by the need to prevent - or at least reduce - reputational losses in the form of credit ratings, brand image and compensation.

As new regulations become more widespread, the average cost is likely to continue to rise, requiring companies to publicly report all incidents and increase data security transparency.

Such trends are typical, for example, in Japan, where the average cost of eliminating the consequences of a security breach more than doubled: from $580 thousand in 2016 to $1.3 million in 2017. The Japanese government has moved to tighten regulations in response to an increase in cybersecurity threats. In 2017, new laws came into force, which caused a sudden increase in costs.

However, developing and implementing laws takes time. With the rapid development of the corporate IT landscape and the evolution of cyber threats, the lag in regulatory measures is becoming a serious problem. For example, new Japanese standards were agreed upon back in 2015, but their entry into force had to be delayed for two whole years. For many, this delay was very costly: during these two years, a number of large Japanese companies became victims of costly attacks. One example is travel company JTB Corp., which suffered a huge leak in 2016. The data of 8 million customers was stolen, including names, addresses and passport numbers.

This is one of the symptoms of a global problem: threats are developing rapidly, and the inertia of governments and companies is too high. Another example of tightening the screws is the General European Data Protection Standards (GDPR), which come into force in May 2018 and significantly limit the acceptable ways in which the data of EU citizens can be processed and stored.

Laws are changing around the world, but they can’t keep up with cyber threats – three waves of ransomware in Russia reminded us of this in 2017. Therefore, businesses should be aware of the imperfections of the law and strengthen protection in accordance with the actual circumstances - or accept the damage to reputation and customers in advance. It is worth preparing for new regulatory requirements without waiting for deadlines. By changing policies after the relevant laws have been issued, companies risk not only fines, but also the security of their own and client data.

There are no such things as someone else's vulnerabilities: gaps in partner protection are costly

To protect against data leaks, it is very important to understand what attack vectors attackers use. In turn, this information will help you understand which types of attacks are most costly.

The survey showed that the following incidents had the most severe financial consequences for medium and small businesses:

  • Incidents affecting infrastructure hosted on third-party equipment (RUB 17.2 million)
  • Incidents affecting third-party cloud services used by the company (RUB 3.6 million)
  • Inappropriate communication via mobile devices(RUB 2.5 million)
  • Physical loss of mobile devices, exposing the organization to risks (RUB 2.1 million)
  • Incidents related to non-computing devices connected to the Internet (for example, industrial control systems, Internet of Things) (RUB 1.7 million)

The situation with large businesses is somewhat different:

  • Targeted attacks (RUB 75 million)
  • Incidents affecting cloud services of third-party vendors (RUB 19 million)
  • Viruses and malware(9 million rubles)
  • Inappropriate data exchange via mobile devices (RUB 7.3 million)
  • Incidents affecting suppliers with whom companies exchange data (RUB 4.4 million)

These data show that very often, attacks caused by security problems with business partners are almost the most costly for companies of any size. This applies to both organizations renting from third party suppliers cloud or other infrastructure, as well as companies that exchange their data with partners.

Once you give another company access to your data or infrastructure, their weaknesses become your problem. However, we have previously observed that most organizations do not attach sufficient importance to this. It is therefore not surprising that incidents of this kind cause the greatest costs: any boxer will tell you that it is usually an unexpected blow that causes a knockout.

Also immediately noteworthy is another vector that unexpectedly made it into the top 5 threats for medium-sized businesses: attacks related to connected devices that are not computers. Today, traffic on the Internet of Things (IoT) is growing much faster than traffic generated by any other technology. This is another example of how new developments are increasing the number of potential vulnerabilities in business infrastructure. In particular, the widespread use of factory default passwords and weak security features on IoT devices has made them an ideal target for botnets like Mirai, malware capable of combining large numbers of vulnerable devices into single network to carry out large-scale DDoS attacks on selected targets.

The amount of losses from targeted attacks in the large business segment is noteworthy - this threat is extremely difficult to counter. Over the past couple of years, a number of high-profile targeted attacks on banks have become known, which also reinforces these disappointing statistics.

Investing in Risk Reduction

As our research has shown, threats to information security are becoming more serious. In these conditions, one cannot but worry about the state of the information security budgets themselves. By analyzing their changes, we can decide whether organizations view their security as a cost driver, or whether the balance is gradually shifting to being seen as an area for investment that provides a real competitive advantage.

The size of the budget shows the company’s attitude towards IT security, the importance of the role of the protective system from the management’s point of view, and the organization’s willingness to take risks.

Information security budget: the share is growing, the “pie” is shrinking

This year we have seen that savings and outsourcing have led to reductions in IT budgets. Despite this (or perhaps as a result of this), the share of information security in these IT budgets has increased. In Russia, a positive trend can be seen in companies of all sizes. Even among micro-businesses operating in conditions of insufficient resources, the share of IT budgets allocated to information security has increased, albeit by a fraction of a percent.

This means that companies are finally starting to understand the importance of information security. Perhaps this shows that information security has begun to be perceived by many as a potentially useful investment, rather than as a source of cost.

We see that IT budgets around the world are being significantly reduced. While information security is getting a larger piece of the pie, the pie itself is getting smaller. The trend is alarming, especially given how high the stakes are in this area and how costly each attack is.

In Russia, the average budget for information security for large businesses in 2017 reached 400 million rubles, and for small and medium-sized businesses – 4.6 million rubles.

Sample: 694 respondents in Russia capable of assessing the budget

It's no surprise that government service organizations (including the defense sector) and financial institutions around the world are reporting the highest information security costs this year. Businesses in both of these sectors spent an average of more than $5 million on security. It is also worth noting that the IT and telecommunications sector, as well as companies in the energy industry, also spent more than average on information security, although their budgets were closer to $3 million rather than $5.

However, if you divide total costs by the number of employees, government organizations move towards the bottom of the list. On average, the IT and telecommunications sector spends $1,258 per capita on information security, while the energy sector spends $1,344 and financial services companies spend $1,436. By comparison, government agencies allocate only $959 per person for information security.

In both the IT and telecommunications segment and the energy supply industry, high costs per employee are most likely associated with the need to protect, especially relevant in these sectors of the economy. intellectual property. In the case of energy supply organizations, high security costs may also be due to the fact that these companies are increasingly vulnerable to targeted attacks organized by groups of attackers.

In this industry, investing in information security becomes critical to survival because it ensures business continuity, a critical factor for energy supply. The consequences of a successful cyber attack in this industry are especially severe, so investing in information security has very tangible benefits.

In Russia, IT and telecommunications, as well as industrial enterprises, are primarily invested in information security - average costs for the former reach 300 million rubles, for the latter – 80 million rubles. Industrial and manufacturing companies typically rely on automated systems management (ICS) to ensure continuity of production processes. At the same time, attacks on ICS are increasing in number: over the past 12 months their number has increased by 5%.

Reasons for investing in information security

The dispersion of investment amounts in information security between sectors is very large. Therefore, it is especially important to understand the reasons that motivate companies to spend limited resources on information security. Without knowing the motives, it is impossible to understand whether a company considers the money spent on the security of its IT infrastructure to be thrown away or views it as a profitable investment.

In 2017, significantly more companies worldwide admitted that they would invest in cybersecurity regardless of the expected return on investment: 63% compared to 56% in 2016. This shows that more and more companies understand the importance of information security.

Main reasons for increasing the information security budget, Russia

Not all companies expect a quick return on investment, but many global companies cited pressure from key stakeholders, including the company's top management, as a reason for increasing information security budgets (32%). This shows that companies are beginning to see their strategic advantage in the growth of information security spending: security measures allow not only to protect themselves in the event of an attack, but also to demonstrate to customers that their data is in good hands, as well as ensure business continuity, in which the company's management is interested .

The most popular reason for increasing spending on information security was cited by the majority of domestic companies as the need to protect an increasingly complex IT infrastructure (46%), and the need to improve the skills of information security experts was noted by 30%. These figures highlight the need to increase the level of expertise available to a company by developing the skills of its own employees. Indeed, SMEs and large enterprises alike are increasingly investing in supporting their internal workforce in the fight against cyber threats.

At the same time, the need to increase spending on information security due to new business operations or company expansion among Russian businesses has decreased: from 36% last year to 30% in 2017. Perhaps it reflects the macroeconomic factors that our companies have had to deal with recently.

Conclusion

Huge damage was caused in 2017 by massive attacks such as WannaCry, exPetr and BadRabbit. The damage from targeted attacks, in particular on Russian banks, is also great. All this demonstrates that the cyber threat landscape is changing rapidly and inexorably. Companies are forced to adapt their defenses or remain out of business.

An increasingly significant factor in business decisions is the difference between the cost of preparing to deal with cyberattacks and the costs incurred by the victim.

The report shows that even relatively small data breaches that are of little interest to the general public can be very costly to a company and seriously impact its operations. Another reason for the rising costs of security incidents is changes in regulations around the world. Companies must either adapt or risk both non-compliance and possible hacking.

In these circumstances, it becomes especially important to consider all the consequences and costs. Perhaps this is why more and more companies from different countries are increasing the share of information security in their IT budgets. In 2017, significantly more companies worldwide admitted that they would invest in cybersecurity regardless of the expected return on investment: 63% compared to 56% in 2016.

Most likely, as the damage from cybersecurity incidents increases, those organizations that consider IT costs as investments in security and are willing to spend significant amounts of money on them will be better prepared for possible troubles. What is the situation in your company?

Annotation: The lecture discusses the tasks and methods of economic analysis of the feasibility of implementing measures to ensure information security under certain conditions.

Methodological foundations of the economics of information security

Information Security Management, as well as management in many other areas of activity, involves the periodic adoption of various management decisions, which, as a rule, consist in the selection of certain alternatives (selection of one of the possible organizational schemes or one of the available technical solutions) or determination of certain parameters of individual organizational and/or or technical systems and subsystems. One of the possible approaches to choosing alternatives in a situation of adoption management decision is the so-called “volitional” approach, when a decision for one reason or another is made intuitively and a formally justified cause-and-effect relationship between certain initial premises and a specific decision made cannot be established. It is obvious that an alternative to the “strong-willed” approach is decision-making based on certain formal procedures and sequential analysis.

The basis for such analysis and subsequent decision making is an economic analysis, which involves the study of all (or at least the main) factors under the influence of which the development of the analyzed systems occurs, the patterns of their behavior, the dynamics of change, as well as the use of universal monetary valuation. It is on the basis of adequately constructed economic models and the economic analysis carried out with their help that decisions should be made regarding both the overall development strategy and individual organizational and technical measures, both at the level of states, regions and industries, and at the level of individual enterprises, divisions and information systems.

At the same time, just as the economics of any branch of activity has its own characteristics, the economics of information security, considered as a relatively independent discipline, on the one hand, is based on some general economic laws and methods of analysis, and on the other hand, it requires individual understanding and the development of specific approaches to analysis, accumulation of statistical data specific to this area, formation of stable ideas about the factors under the influence of which the functioning of Information Systems And information security tools.

The complexity of problems of economic analysis in almost all areas of activity, as a rule, is due to the fact that many key parameters of economic models cannot be reliably assessed, and they are probabilistic in nature (such as, for example, indicators of consumer demand). The analysis is also complicated by the fact that even small fluctuations (adjustment of estimates) of such parameters can seriously affect the values ​​of the objective function and, accordingly, the decisions made based on the results of the analysis. Thus, to ensure the greatest possible reliability of calculations in the process of conducting economic analysis and decision making it is necessary to organize a complex of works to collect initial information, calculate forecast values, interview experts in various fields and process all data. At the same time, in the process of carrying out such an analysis it is necessary to pay attention to Special attention intermediate decisions concerning estimates of certain parameters included in the general model. It is also necessary to take into account the fact that such an analysis itself may turn out to be a rather resource-intensive procedure and require the involvement of additional specialists and third-party consultants, as well as the efforts of various specialists (experts) working at the enterprise itself - all these costs ultimately , must be justified.

The particular complexity of economic analysis in such an area as Information Security, is determined by such specific factors as:

  • the rapid development of information technologies and techniques used in this area (both means and methods of defense and means and methods of attack);
  • the inability to reliably predict all possible attack scenarios on information systems and attacker behavior patterns;
  • the impossibility of giving a reliable, sufficiently accurate assessment of the cost of information resources, as well as assessing the consequences of various violations in monetary terms.

This requires additional efforts to organize the economic analysis process, and also often leads to the fact that many decisions made related to information security may turn out to be inadequate. Examples of situations in which the insufficient development of the methodology of economic analysis negatively affects the state of information security are cases when:

  • enterprise management may make inadequate decisions regarding investments in information security tools, which, in turn, may lead to losses that could have been avoided;
  • enterprise management can make certain decisions regarding the organization of business processes and information processing processes at the enterprise, based on the desire to reduce current costs and reduce the burden on personnel, without taking into account the economic consequences of insufficient security of information resources;
  • the policyholder and the insurer may not conclude an agreement on insurance of information risks or establish inadequate parameters for such an agreement due to the fact that there are no models and methods for assessing the economic parameters of the transaction.

Analysis of investments in information security tools

In the course of their current activities, enterprises constantly have to deal with certain changes: business processes are being clarified, the conditions of sales markets and markets for consumed material resources and services are changing, new technologies are appearing, competitors and counterparties are changing their behavior, legislation and government policy are changing, etc. d. Under these conditions, managers (including those responsible for ensuring information security) have to constantly analyze the changes taking place and adapt their work to the constantly changing situation. The specific forms in which managers' reactions manifest themselves may vary. This could be a change in marketing policy, reorganization of business processes, change in technology, change in the product being manufactured, merger with competitors or their acquisition, etc. However, with all the variety of possible models of behavior in a changing environment, almost all of them are united by one important common methodological element: in most cases, the response of business to new threats and new opportunities involves the implementation of new, more or less long-term and resource-intensive investments (investments) in certain organizational and /or technical measures, which, on the one hand, involve the expenditure of resources (money), and on the other, provide the opportunity to obtain new benefits, expressed in an increase in income or a reduction in some current expenses.

Thus, in a situation where it is necessary to carry out some new organizational or technical activities (implement a project), the main task of those responsible for the effective organization of information security is to clearly identify the costs that will have to be incurred in connection with the implementation of this activity (both one-time and and constant current), and additional (new) cash flows that will be received. In this case, cash flow can be understood as cost savings, loss prevention, as well as additional income for the enterprise.

In economic practice, it is customary to use the return on investment function as the main indicator reflecting this ratio.

(14.1)

The discounting function is used when analyzing investments to take into account the influence of the time factor and bring costs at different times to one point (usually the moment the project begins implementation). The discount rate in this case takes into account changes in the value of money over time.

The return on investment model (14.1) clearly demonstrates what two main tasks must be solved when analyzing any investment project and, in particular, a project to implement measures in the field of information security: calculating the costs associated with the project and calculating additional cash flow. If the methodology for calculating total costs () over the past 10-15 years has generally been quite fully formed (in the form of the concept of "Total Cost of Ownership", TCO - Total Cost of Ownership, TCO) and is actively used in practice in relation to various types of information systems and elements information infrastructure, then the calculation of additional cash flow () received as a result of investments in information security tools, as a rule, causes serious difficulties. One of the most promising approaches to calculating this indicator is a methodology that is based on a quantitative (monetary) assessment of the risks of damage to information resources and an assessment of the reduction of these risks associated with the implementation of additional measures to protect information.

Thus, in general, the composition of the methodology for analyzing the feasibility of investing in projects aimed at ensuring information security is schematically presented in Fig. 14.1.

Analyzing the costs associated with a project, although a relatively simpler task, can still cause some difficulties. As with many other projects in the field of information technology, it is advisable to analyze the costs of implementing projects in the field of information security based on the well-known basic methodology "Total Cost of Ownership" - TCO (Total Cost of Ownership - TCO), introduced by the consulting company " Gartner Group" in 1987 in relation to personal computers. In general, this methodology is aimed at ensuring the completeness of the analysis of costs (both direct and indirect) associated with information technology and information systems, in situations where it is necessary to assess the economic consequences of the implementation and use of such systems: when assessing the effectiveness of investments, comparing alternative technologies, drawing up capital and operating budgets, etc.

In general, the total TCO value includes:

  • design costs information system;
  • costs for the acquisition of hardware and software: computer technology, network hardware, software (taking into account the licensing methods used), as well as leasing payments;
  • development costs software and its documentation, as well as for correcting errors in it and improving it during the period of operation;
  • costs for the ongoing administration of information systems (including payment for the services of third-party organizations to which these functions are outsourced);
  • technical support and service costs;
  • costs of consumables;
  • costs of telecommunications services (Internet access, dedicated and switched communication channels, etc.);
  • costs for training users, as well as employees of IT departments and the information security department;
  • indirect costs are the costs of an enterprise associated with the loss of time by users in the event of failures in the operation of information systems.

Also, when calculating the costs of increasing the level of information security, it is necessary to include the costs of reorganizing business processes and information work with personnel: payment for the services of business consultants and consultants on information security issues, costs for the development of organizational documentation, costs for conducting audits of the state of information security, etc. In addition, when analyzing costs, it is also necessary to take into account the fact that in most cases, the introduction of information security tools implies the emergence of additional responsibilities for enterprise personnel and the need to carry out additional operations when working with information systems. This causes a slight decrease in the productivity of the company’s employees and, accordingly, may cause additional costs.

How to justify the costs of information security?

Reprinted with kind permission OJSC InfoTex Internet Trust
The source text is located Here.

Company maturity levels

Gartner Group identifies 4 levels of company maturity in terms of information security (IS):

  • level 0:
    • No one is involved in information security in the company; the company’s management does not realize the importance of information security problems;
    • There is no funding;
    • Information security is implemented using standard means operating systems, DBMS and applications (password protection, access control to resources and services).
  • Level 1:
    • Information security is considered by management as a purely “technical” problem; there is no unified program (concept, policy) for the development of the company’s information security system (ISMS);
    • Funding is provided within the overall IT budget;
    • Information security is implemented by means of zero level + means Reserve copy, antivirus tools, firewalls, VPN organization tools (traditional security tools).
  • Level 2:
    • Information security is considered by management as a complex of organizational and technical measures, there is an understanding of the importance of information security for production processes, there is a program for the development of the company's ISMS approved by management;
    • Information security is implemented by first-level tools + enhanced authentication tools, tools for analyzing email messages and web content, IDS (intrusion detection systems), security analysis tools, SSO (one-time authentication tools), PKI (public key infrastructure) and organizational measures (internal and external audit, risk analysis, information security policy, regulations, procedures, regulations and guidelines).
  • Level 3:
    • Information security is part of the corporate culture, a CISA (senior information security officer) has been appointed;
    • Funding is provided within a separate budget;
    • Information security is implemented by means of the second level + information security management system, CSIRT (information security incident response team), SLA (service level agreement).

According to Gartner Group (data provided for 2001), the percentage of companies in relation to the described 4 levels is as follows:
Level 0 - 30%,
Level 1 - 55%,
Level 2 - 10%,
Level 3 - 5%.

The Gartner Group's forecast for 2005 is as follows:
Level 0 - 20%,
Level 1 - 35%,
Level 2 - 30%,
Level 3 - 15%.

Statistics show that the majority of companies (55%) have currently implemented the minimum required set of traditional technical means protection (1 level).

When implementing various technologies and security measures, questions often arise. What to implement first, an intrusion detection system or a PKI infrastructure? Which will be more effective? Stephen Ross, director of Deloitte&Touche, proposes the following approach for assessing the effectiveness of individual information security measures and tools.

Based on the above graph, it can be seen that the most expensive and least effective are specialized tools (in-house or custom-made).

The most expensive, but at the same time the most effective, are category 4 protection products (levels 2 and 3 according to Gartner Group). To implement tools in this category, it is necessary to use a risk analysis procedure. Risk analysis in this case will ensure that implementation costs are adequate to existing threats of information security violations.

The cheapest, but with a high level of effectiveness, include organizational measures (internal and external audit, risk analysis, information security policy, business continuity plan, regulations, procedures, regulations and manuals).

The introduction of additional means of protection (transition to levels 2 and 3) requires significant financial investments and, accordingly, justification. The absence of a unified ISMS development program approved and signed by management exacerbates the problem of justifying investments in safety.

Risk analysis

Such justification can be the results of risk analysis and statistics accumulated on incidents. Mechanisms for implementing risk analysis and collecting statistics should be specified in the company’s information security policy.

The risk analysis process consists of 6 sequential stages:

1. Identification and classification of protected objects (company resources to be protected);

3. Building a model of an attacker;

4. Identification, classification and analysis of threats and vulnerabilities;

5. Risk assessment;

6. Selection of organizational measures and technical means of protection.

At the stage identification and classification of objects of protection It is necessary to conduct an inventory of the company's resources in the following areas:

  • Information resources (confidential and critical company information);
  • Software resources (OS, DBMS, critical applications, such as ERP);
  • Physical resources (servers, workstations, network and telecommunications equipment);
  • Service resources ( Email, www, etc.).

Categorization is to determine the level of confidentiality and criticality of the resource. Confidentiality refers to the level of secrecy of information that is stored, processed and transmitted by a resource. Criticality is understood as the degree of influence of a resource on the efficiency of the company's production processes (for example, in the event of downtime of telecommunications resources, the provider company may go bankrupt). By assigning certain qualitative values ​​to the confidentiality and criticality parameters, you can determine the level of significance of each resource in terms of its participation in the company’s production processes.

To determine the importance of company resources from an information security point of view, you can obtain the following table:

For example, files with information about the salary level of company employees have a value of “strictly confidential” (confidentiality parameter) and a value of “insignificant” (criticality parameter). By substituting these values ​​into the table, you can obtain an integral indicator of the significance of this resource. Various options for categorization methods are given in the international standard ISO TR 13335.

Building an attacker model is the process of classifying potential violators according to the following parameters:

  • Type of attacker (competitor, client, developer, company employee, etc.);
  • The position of the attacker in relation to the objects of protection (internal, external);
  • Level of knowledge about protected objects and the environment (high, medium, low);
  • Level of ability to access protected objects (maximum, average, minimum);
  • Duration of action (constantly, at certain time intervals);
  • Location of action (the expected location of the attacker during the attack).

By assigning qualitative values ​​to the listed parameters of the attacker’s model, one can determine the attacker’s potential (an integral characteristic of the attacker’s capabilities to implement threats).

Identification, classification and analysis of threats and vulnerabilities allow you to determine ways to implement attacks on protected objects. Vulnerabilities are properties of a resource or its environment that are used by an attacker to implement threats. A list of software resource vulnerabilities can be found on the Internet.

Threats are classified according to the following criteria:

  • name of the threat;
  • type of attacker;
  • means of implementation;
  • exploited vulnerabilities;
  • actions taken;
  • implementation frequency.

The main parameter is the frequency of threat implementation. It depends on the values ​​of the “attacker potential” and “resource security” parameters. The value of the “resource security” parameter is determined through expert assessments. When determining the value of the parameter, the subjective parameters of the attacker are taken into account: motivation for implementing the threat and statistics from attempts to implement threats of this type(if available). The result of the threat and vulnerability analysis stage is an assessment of the “implementation frequency” parameter for each threat.

At the stage risk assessments the potential damage from threats of information security violations is determined for each resource or group of resources.

The qualitative indicator of damage depends on two parameters:

  • Significance of the resource;
  • Frequency of threat implementation on this resource.

Based on the damage assessments obtained, adequate organizational measures and technical means of protection are reasonably selected.

Accumulation of statistics on incidents

The only weak point in the proposed methodology for assessing risk and, accordingly, justifying the need to introduce new or change existing protection technologies is the determination of the parameter “frequency of threat occurrence.” The only way to obtain objective values ​​of this parameter is to accumulate statistics on incidents. Accumulated statistics, for example, over a year will allow you to determine the number of implementations of threats (of a certain type) per resource (of a certain type). It is advisable to carry out work on collecting statistics as part of the incident processing procedure.

They invest in various computer security technologies - from platforms for paying bonuses for detecting vulnerabilities in programs to diagnostics and automated testing of programs. But most of all they are attracted to authentication and identity information management technologies - about $900 million was invested in startups dealing with these technologies at the end of 2019.

Investments in cybersecurity training startups reached $418 million in 2019, led by KnowBe4, which raised $300 million. The startup offers a phishing attack simulation platform and a range of training programs.

In 2019, companies involved in Internet of Things security received about $412 million. The leader in this category in terms of investment volume is SentinelOne, which in 2019 received $120 million for the development of endpoint protection technologies.

At the same time, Metacurity analysts provide other data characterizing the situation on the venture financing market in the information security sector. In 2019, the volume of investments here reached $6.57 billion, increasing from $3.88 billion in 2018. The number of transactions also increased - from 133 to 219. At the same time, the average volume of investments per transaction remained virtually unchanged and amounted to 29.2 million at the end of 2019, as calculated by Metacurity.

2018

Growth by 9% to $37 billion - Canalys

In 2018, sales of equipment, software and services intended for information security (IS) reached $37 billion, an increase of 9% compared to a year ago ($34 billion). Such data was published by Canalys analysts on March 28, 2019.

Despite many companies prioritizing protecting their assets, data, endpoints, networks, employees and customers, cybersecurity accounted for only 2% of total IT spending in 2018, they said. However, more and more new threats are emerging, they are becoming more complex and more frequent, which provides manufacturers of information security solutions with new opportunities for growth. Total cybersecurity spending is expected to exceed $42 billion in 2020.

Canalys analyst Matthew Ball believes that the transition to new models of information security implementation will accelerate. Customers are changing the nature of their IT budgets by using public cloud services and flexible subscription-based services.

About 82% of information security deployments in 2018 involved the use of traditional hardware and software. In the remaining 18% of cases, virtualization, public clouds and information security services were used.

By 2020, the share of traditional models for deploying information security systems will drop to 70%, as new solutions on the market are gaining popularity.

Vendors will need to create a wide range of business models to support this transition, as different products suit different types of deployments. The main challenge for many today is to make new models more focused on affiliate channels and integrate them with existing ones affiliate programs, especially with customer transactions via cloud platforms. Some cloud marketplaces have already responded to this by allowing partners to offer individual offers and prices directly to customers by tracking deal registrations and discounts, Matthew Ball said in a March 29, 2019 post.

According to Canalys analyst Ketaki Borade, leading cybersecurity technology vendors have introduced new product distribution models that involve companies moving to a subscription model and increasing operations in the cloud infrastructure.


The cybersecurity market remained highly dynamic and saw record deal activity and volume in response to increasing regulatory and technical requirements, as well as the continued widespread risk of data breaches, said Eric McAlpine, co-founder and managing partner of Momentum Cyber. “We believe this momentum will continue to push the sector into new territory as it seeks to address emerging threats and consolidates in the face of supplier fatigue and growing skills shortages.”

2017

Cybersecurity expenses exceeded $100 billion

In 2017, global spending on information security (IS) - products and services - reached $101.5 billion, the Gartner research company said in mid-August 2018. At the end of 2017, experts estimated this market at $89.13 billion. It is not reported what caused the significant increase in valuation.

CISOs are looking to help their organizations securely use technology platforms to become more competitive and drive business growth, says Siddharth Deshpande, research director at Gartner. - Continued skills shortages and regulatory changes such as the General Data Protection Regulation (GDPR) in Europe are driving further growth in the cybersecurity services market.

Experts believe that one of the key factors contributing to increased costs for information security is the introduction of new methods of detecting threats and responding to them - they have become top priority security of organizations in 2018.

According to Gartner estimates, in 2017, organizations spent on cyber protection services globally exceeded $52.3 billion. In 2018, these costs will rise to $58.9 billion.

In 2017, companies spent $2.4 billion on protecting applications, $2.6 billion on data protection, cloud services- $185 million

Annual sales of solutions for identity and access management (Identity And Access Management) turned out to be equal to 8.8 billion. Sales of IT infrastructure protection tools increased to $12.6 billion.

The study also points to $10.9 billion in spending on equipment used to provide network security. Their manufacturers earned $3.9 billion from information security risk management systems.

Consumer cybersecurity spending for 2017 is estimated by analysts at $5.9 billion, according to a Gartner study.

Gartner estimated the market size at $89.13 billion

In December 2017, it became known that global company spending on information security (IS) in 2017 would amount to $89.13 billion. According to Gartner, corporate spending on cybersecurity will exceed the 2016 amount of $82.2 billion by almost $7 billion.

Experts consider information security services to be the largest expense item: in 2017, companies will allocate over $53 billion for these purposes compared to $48.8 billion in 2016. The second largest segment of the information security market is infrastructure protection solutions, the costs of which in 2017 will amount to $16.2 billion instead of $15.2 billion a year ago. Network security equipment is in third place ($10.93 billion).

The structure of information security expenses also includes consumer software for information security and identification and access management systems (Identity and Access Management, IAM). Gartner estimates costs in these areas in 2017 at $4.64 billion and $4.3 billion, while in 2016 the figures were at $4.57 billion and $3.9 billion, respectively.

Analysts expect further growth in the information security market: in 2018, organizations will increase spending on cyber protection by another 8% and allocate a total of $96.3 billion for these purposes. Among the growth factors, experts listed changing regulation in the information security sector and awareness of new threats and the pivot of companies to a digital business strategy.

In general, spending on cybersecurity is largely driven by companies’ response to information security incidents, as the number of high-profile cyberattacks and information leaks affecting organizations around the world is growing, says Ruggero Contu, research director at Gartner, commenting on the forecast.

The analyst’s words are confirmed by data obtained by Gartner in 2016 during a survey involving 512 organizations from eight countries: Australia, Canada, France, Germany, India, Singapore and the USA.

53% of respondents named cybersecurity risks as the main driving force behind increased cybersecurity spending. Of this number, the highest percentage of respondents said that the threat of cyberattacks most influences information security spending decisions.

Gartner's forecast for 2018 calls for increased spending across all major areas. Thus, about $57.7 billion (+$4.65 billion) will be spent on cyber protection services, about $17.5 billion (+$1.25 billion) will be spent on ensuring infrastructure security, and $11.67 billion (+ $735 million), for consumer software - $4.74 billion (+$109 million) and for IAM systems - $4.69 billion (+$416 million).

Analysts also believe that by 2020, more than 60% of organizations in the world will invest simultaneously in several data protection tools, including information loss prevention, encryption and auditing tools. As of the end of 2017, the share of companies purchasing such solutions was estimated at 35%.

Another significant item of corporate expenditure on information security will be the involvement of third-party specialists. It is expected that, against the backdrop of a shortage of personnel in the field of cybersecurity, the growing technical complexity of information security systems and increasing cyber threats, company costs for information security outsourcing in 2018 will increase by 11% and amount to $18.5 billion.

Gartner estimates that by 2019, corporate spending on third-party cybersecurity experts will account for 75% of total cybersecurity software and hardware spending, up from 63% in 2016.

IDC predicts market size to be $82 billion

Two-thirds of the costs will come from companies classified as large and very large businesses. By 2019, according to IDC analysts, the costs of corporations with more than 1,000 employees will exceed the $50 billion mark.

2016: Market volume $73.7 billion, growth 2 times more than the IT market

In October 2016, the analytical company IDC presented brief results of a study of the global information security market. Its growth is expected to be twice that of the IT market.

IDC calculated that global sales of equipment, software and services for cyber protection will reach about $73.7 billion in 2016, and in 2020 the figure will exceed $100 billion, amounting to $101.6 billion. In the period from 2016 to 2020, the information security market -technology will grow at an average rate of 8.3% annually, which is twice the expected growth rate of the IT industry.


The largest information security expenses ($8.6 billion) at the end of 2016 are expected in banks. In second, third and fourth place in terms of the size of such investments will be discrete production enterprises, government agencies and continuous production enterprises, respectively, which will account for about 37% of expenses.

Analysts give leadership in the dynamics of increasing information security investments to healthcare (an average annual growth of 10.3% is expected in 2016-2020). The costs of cyber protection in the telecom, housing sector, government agencies and in the investment and securities market will rise by approximately 9% per year.

Researchers call the American market the largest information security market, the volume of which will reach $31.5 billion in 2016. The top three will also include Western Europe and the Asia-Pacific region (excluding Japan). There is no information on the Russian market in the short version of the IDC study.

General Director of the Russian company Security Monitor Dmitry Gvozdev predicts an increase in the share of services in total Russian security spending from 30-35% to 40-45%, and also predicts the development of the client structure of the market - from the total predominance of the government, financial and energy sectors towards medium-sized enterprises from a wider range of industries.

One of the trends should be the development of the share of domestic software products in connection with issues of import substitution and the foreign policy situation. However, the extent to which this will be reflected in financial indicators will largely depend on the ruble exchange rate and the pricing policy of foreign vendors, who still occupy at least half of the domestic market for software solutions and up to two-thirds in the equipment segment. The final annual financial result of the entire Russian information security solutions market can also be tied to external economic factors, Gvozdev said in a conversation with TAdviser.

2015

MARKET SIZE

FEDERAL SPENDING

CYBER CRIME

COST-PER-BREACH

FINANCIAL SERVICES

International

SECURITY ANALYTICS

2013: The EMEA market grew to $2.5 billion.

The volume of the security equipment market in the EMEA region (Europe, Middle East and Africa) grew by 2.4% compared to 2012 and amounted to $2.5 billion. Analysts called multifunctional software and hardware systems for protection the largest and fastest growing segment of the market under consideration. computer networks– UTM solutions (Unified threat management). At the same time, IDC predicted that the market for information security hardware by 2018 will reach $4.2 billion in value terms with an average annual growth of 5.4%.

At the end of 2013, the leading position among suppliers in terms of revenue from sales of information security equipment in the EMEA region was taken by Check Point. According to IDC, the vendor's revenue in this segment for 2013 grew by 3.8% and amounted to $374.64 million, which corresponds to a market share of 19.3%.

2012: Forecast PAC: The information security market will grow by 8% per year

The global information security market will grow by 8% annually until 2016, when it could reach 36 billion euros, the study reported.

As already noted, the security of an enterprise is ensured by a set of measures at all stages of its life cycle, its information system and, in general, consists of the cost:

  • - design work;
  • - procurement and configuration of software and hardware protection tools;
  • - costs of ensuring physical security;
  • - personnel training;
  • - system management and support;
  • - information security audit;
  • - periodic modernization of the information security system, etc.

The cost indicator of the economic efficiency of an integrated information security system will be the sum of direct and indirect costs for organizing, operating and maintaining the information security system throughout the year.

It can be considered as a key quantitative indicator of the effectiveness of information security organization in a company, since it will allow not only to estimate the total costs of protection, but to manage these costs to achieve the required level of enterprise security. However, direct costs include both capital cost components and labor costs, which are included in the categories of operations and administrative management. This also includes the cost of services remote users and others related to supporting the organization’s activities.

Indirect costs, in turn, reflect the impact of the integrated security system and information security subsystem on employees through such measurable indicators as downtime and freezes of the corporate information security system and the integrated security system as a whole, operations and support costs.

Very often, indirect costs play a significant role, since they are usually not initially reflected in the budget for a comprehensive security system, but are revealed explicitly during cost analysis later, which ultimately leads to an increase in the company’s “hidden” costs. Let's consider how you can determine the direct and indirect costs of a comprehensive security system. Let's assume that the management of an enterprise is working to implement a comprehensive information security system at the enterprise. The objects and goals of protection, threats to information security and measures to counter them have already been identified, the necessary means of protecting information have been purchased and installed.

Typically, information security costs fall into the following categories:

  • - costs for the formation and maintenance of the information security system management link;
  • - costs of control, that is, of determining and confirming the achieved level of security of enterprise resources;
  • - internal costs for eliminating the consequences of an information security violation - costs incurred by the organization as a result of the fact that the required level of security was not achieved;
  • - external costs for eliminating the consequences of an information security violation - compensation for losses due to violations of the security policy in cases related to information leakage, loss of the company’s image, loss of trust of partners and consumers, etc.;
  • - costs for Maintenance information security systems and measures to prevent violations of the enterprise security policy.

In this case, one-time and systematic costs are usually distinguished.

One-time costs for creating enterprise security: organizational costs and costs for the acquisition and installation of protective equipment.

Systematic, operating and maintenance costs. The classification of costs is conditional, since the collection, classification and analysis of costs for information security are the internal activities of enterprises, and the detailed development of the list depends on the characteristics of a particular organization.

The main thing when determining the costs of a security system is mutual understanding and agreement on cost items within the enterprise.

In addition, cost categories should be consistent and should not duplicate each other. It is impossible to completely eliminate security costs, but they can be reduced to an acceptable level.

Some security costs are absolutely necessary, and some can be significantly reduced or eliminated. The latter are those that may disappear in the absence of security breaches or will decline if the number and destructive impact of breaches decreases.

By maintaining safety and preventing violations, the following costs can be eliminated or significantly reduced:

  • - to restore the security system to meet security requirements;
  • - to restore resources information environment enterprises;
  • - for alterations within the security system;
  • - for legal disputes and compensation payments;
  • - to identify the causes of security violations.

Necessary costs are those that are necessary even if the level of security threats is quite low. These are the costs of maintaining the achieved level of security of the enterprise information environment.

Unavoidable costs may include:

  • a) maintenance of technical protective equipment;
  • b) confidential records management;
  • c) operation and audit of the security system;
  • d) minimum level of inspections and control with the involvement of specialized organizations;
  • e) training of personnel in information security methods.

However, there are other costs that are quite difficult to determine. Among them:

  • a) the costs of conducting additional research and developing a new market strategy;
  • b) losses from lowering the priority in scientific research and the inability to patent and sell licenses for scientific and technical achievements;
  • c) costs associated with eliminating bottlenecks in the supply, production and marketing of products;
  • d) losses from compromise of products manufactured by the enterprise and reduction in prices for them;
  • e) the occurrence of difficulties in acquiring equipment or technologies, including increasing prices for them, limiting the volume of supplies.

The listed costs can be caused by the actions of personnel of various departments, for example, design, technological, economic planning, legal, economic, marketing, tariff policy and pricing.

Since employees of all these departments are unlikely to be busy full-time with issues of external losses, the establishment of the amount of costs must be carried out taking into account the actual time spent. One of the elements of external losses cannot be accurately calculated - these are losses associated with undermining the image of the enterprise, reducing consumer confidence in the products and services of the enterprise. It is for this reason that many corporations hide the fact that their service is unsafe. Corporations fear the release of such information even more than they fear attacks in one form or another.

However, many businesses ignore these costs on the basis that they cannot be determined with any degree of accuracy - they are only guesstimated. Costs of preventive measures. These costs are probably the most difficult to estimate because preventive activities are carried out across different departments and affect many services. These costs can appear at all stages of the life cycle of enterprise information environment resources:

  • - planning and organization;
  • - acquisition and commissioning;
  • - delivery and support;
  • - monitoring of processes that make up information technology.

In addition, most of the costs in this category are related to security personnel. Prevention costs primarily include wages and overhead. However, the accuracy of their determination largely depends on the accuracy of determining the time spent by each employee individually. Some precautionary costs are easy to identify directly. They may, in particular, include payment for various works of third parties, for example:

  • - maintenance and configuration of software and hardware protection tools, operating systems and network equipment used;
  • - carrying out engineering and technical work to install alarm systems, equip storage facilities for confidential documents, protect telephone communication lines, computer equipment, etc.;
  • - delivery of confidential information;
  • - consultations;
  • - training courses.

Sources of information about the costs considered. When determining the costs of providing information security, it is necessary to remember that:

  • - costs for the acquisition and commissioning of software and hardware can be obtained from the analysis of invoices, records in warehouse documentation, etc.;
  • - payments to staff can be taken from statements;
  • - the volume of wage payments should be taken taking into account the actual time spent on carrying out work to ensure information security; if only part of the employee’s time is spent on activities to ensure information security, then the feasibility of assessing each of the components of the expenditure of his time should not be questioned;
  • - classification of security costs and their distribution among elements should become part of daily work within the enterprise.


RELATED ARTICLES