After the introduction to the book in chapter 1 (five pages), chapter 2 (28 pages) looks at the foundations of cybersecurity in a broad but shallow way. Almost inevitably, this approach leads to imprecise statements, like mixing authorization and access control, and minimizing security functionality of switches. Chapter 3 (35 pages) presents cybersecurity safeguards, a logical element in a book discussing cybersecurity investments, as these typically result in changes to the existing safeguards. Here, too, the scope is kept broad, and the treatment per topic minimalistic.
From chapter 4 (60 pages) on, the focus is on economic aspects (also the title of this fourth chapter). It starts with static and dynamic financial indicators, presenting cost comparison, profit comparison, return on investment, static payback period, net present value, net future value, equivalent annual annuity, internal rate of return, and visualization of financial implications. Risk evaluation (26 pages) is a big section in this chapter, browsing over the well-known methodologies. Cybersecurity costs are covered in another important section (15 pages), distinguishing between safeguard and breach costs.
“Foundations of Decision Making” is the topic of chapter 5 (16 pages), which answers the question: How does one select a specific solution? Two methods are presented: simple additive weighting (SAW) and analytic hierarchy process (AHP). It includes a discussion on the most common decision difficulties, like cost, time, and quality, but also presents interdependencies and manipulation as problems.
Chapter 6 is the core of the book (100 pages): “Lifecycle of Cybersecurity Investments.” The two center sections in this chapter are decision problem identification (35 pages) and preparing and doing the evaluation (40 pages). This content is illustrated with a case study featuring a payment service provider (PSP). The authors present a 15-step life cycle for investments. The first steps are initiation and sponsoring. Steps 3 to 8 go from the subsections decision problem identification to the selection of the best alternative, using the AHP-based approach. Steps 9 to 15 complete the life cycle discussion, but are of lesser importance.
Decision problem identification is about clarifying the topic of the decision. Strategy and scope determination come first.
The strategy work starts with asset and protection cause identification. The security input includes goal specification, desired protection level, and adequate solution type. The generic aspects to consider for the strategy are scope variability, budget estimate, monetary goal, and time period available for analysis.
The scope determination is based on business processes. The author also uses architecture of integrated information systems (ARIS) views--organization, data, control, function, and product view--to fine-tune the scope. Asset value measurement combined with risk analysis defines the protection requirement.
Next, the attributes of the solutions that will be evaluated are decided, including exclusion ones. The AHP method is used to derive weighting factors for the attributes in the rating function. The next steps are identification and evaluation of the alternative solutions.
The section on alternative evaluation lists factors that may influence the outcome, and therefore it is good to be aware of their existence: consistency bias, recall, recency effect, hindsight bias, and error of central or extreme tendency. Another mechanism to consider is the use of sensitivity analysis: How sensitive is the final outcome to changes in the evaluation of the attributes? Extreme cases are, for instance, one attribute determining the outcome, or attributes that do not matter at all despite their perceived need to be included in the evaluation.
It is safe to skip chapters 2 and 3 if you have prior security knowledge. There is not much that is “cyber” specific. That does not reduce its value in a significant way. At some point, you are bound to play some role in the introduction of new safeguards. Whatever angle--supplier, buyer, or advisor--the weighting factors determine a lot, despite the equally frequent questions about their appropriateness. The book provides an approach that is more substantiated than the methods often encountered, and moreover it points out other possible weaknesses, like dependencies between attributes, and countermeasures, like sensitivity analysis. It would have been nice if the book had dived deeper into these issues. Still, before your next investment decision, take a few hours and read this book--start with chapter 4 if you are pressed for time.
