Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model

Abstract

Introduction

The development of the Internet and other interconnected digital computer networks has transformed the interactions among people, organizations, and countries. Although most would probably agree that this transformation has been positive, on balance, a clear downside of the world of interconnected digital communications systems has been the varied problems associated with actual and potential cybersecurity breaches.^1,2 Accordingly, cybersecurity risk management has become a critical concern to nations, organizations, and societies around the world. In the USA, this concern has been clearly recognized by the last three Presidents. President Bush, for example, initiated the US National Strategy to Secure Cyberspace in 2003 [6]. President Obama recognized the importance of cybersecurity in his Executive Order (EO) 13636, issued on 12 February 2013, formally titled “Improving Critical Infrastructure Cybersecurity” [7]. As noted in Section 1 of EO 13636:

The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil rights.

One of the key components of EO 13636 is the requirement that the US National Institute for Standards and Technology (NIST), which is part of the US Department of Commerce, develop a Cybersecurity Framework that includes “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks” (Section 7, part [a]). NIST was tasked with publishing this Cybersecurity Framework within 1 year from the date of EO 13636. NIST published Version 1.0 of the Cybersecurity Framework (formally entitled the “Framework for Improving the Critical Infrastructure Cybersecurity,” but usually referred to as the “NIST Cybersecurity Framework”) on 12 February 2014 [8]. The fundamental concern underlying the NIST Cybersecurity Framework is managing cybersecurity risk in a cost–benefit manner. Furthermore, the Framework explicitly recognizes that different organizations have different cybersecurity risk management needs that result in requiring different types and levels of cybersecurity investments.

President Trump gave the NIST Cybersecurity Framework a tremendous boost when he issued EO 13800 entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” on 11 May 2017 [9]. In Section 1, part (c), under (ii), EO 13800 states that “Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk.” By requiring government agencies to use the NIST Cybersecurity Framework, President Trump made the Framework the law of the land for federal government agencies. In addition, since an information system is only as strong as its weakest link, federal agencies realize that even if they were using the NIST Cybersecurity Framework, unless their contractors (i.e., firms doing business with the federal government agencies) were managing their cybersecurity risk in a manner that is consistent with the NIST Cybersecurity Framework, their compliance with EO 13800 could be jeopardized. Thus, an externality (i.e., spillover effect) of EO 13800 is that companies wanting to conduct business with the US federal government need to either use the NIST Cybersecurity Framework or use an alternative cybersecurity risk management framework that is consistent with the NIST Framework. Indeed, companies not using a cybersecurity risk management framework that is consistent with the NIST Cybersecurity Framework may find themselves being excluded from receiving government contracts.

On 16 April 2018, NIST published Version 1.1 of the Cybersecurity Framework (NIST, 2018). As noted in the 1.1 Version of the NIST Cybersecurity Framework ([10], p. 2):

The Framework is not a one-size fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances. They also will vary in how they customized practices described in the Framework. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks.

As pointed out in the next section of this article, the NIST Cybersecurity Framework has been widely adopted by companies and government agencies in the USA, as well as around the world. Indeed, the NIST Cybersecurity Framework has rapidly become one of the, if not the, most widely accepted approaches to facilitate cybersecurity risk management within organizations.

The NIST Cybersecurity Framework is intentionally broad and flexible. In essence, it provides a macro overview of how organizations should approach cybersecurity risk management, leaving the details of the implementation of the Framework to each firm. This latter point is especially true in terms of how a firm should consider the cost–benefit aspects of cybersecurity risk management when deciding on the organization’s appropriate Framework Implementation Tier. Although the NIST Framework notes that organizations should maximize the impact of each dollar spent, it lacks specificity and thus is ambiguous in terms of guidance on how to carry out this investment prioritization. Instead, NIST leaves it up to each organization to decide how to maximize the impact of the dollars spent on cybersecurity risk management. The above notwithstanding, NIST clearly recommends that organizations should maximize the impact of the dollars spent on their cybersecurity investments based on cost–benefit analysis.³

The objective of this article is to provide a logical approach for integrating cost–benefit analysis into the NIST Cybersecurity Framework. The recommended approach is based on the Gordon–Loeb Model (hereafter referred to as the GL Model) for cybersecurity investments [11, 12]. Since the Implementation Tiers discussed in the NIST Cybersecurity Framework provide organizations with a blueprint for addressing cybersecurity risk management, the specific focus in carrying out the above-noted objective will be to show how the GL Model can help organizations integrate cost–benefit analysis into the process of selecting the most appropriate NIST Implementation Tier level. As a result, the relationship between the NIST Implementation Tier levels and a firm’s appropriate level of spending on cybersecurity activities becomes much clearer. To our knowledge, this is the first study to explicitly integrate a cost–benefit model into the NIST Cybersecurity Framework. Thus, the major contribution of this article is that it helps eliminate, or at least reduce, the ambiguities associated with maximizing the impact of dollars spent on cybersecurity risk management.

The remainder of this article proceeds as follows. In the “Literature review” section of the article, we briefly review the relevant literature, including the NIST Cybersecurity Framework, and the GL Model for cybersecurity investments. “Integrating the GL Model into the NIST Framework” section focuses on integrating cost–benefit analysis via the GL Model into the NIST Cybersecurity Framework and provides a numerical example that demonstrates this integration. “Concluding comments” section of the article provides some concluding comments.

Literature review

Cybersecurity risk management

Cybersecurity risk refers to the probability (or possibility) that a potentially harmful event will result from deficient cybersecurity. Cybersecurity risk management is concerned with the process of managing cybersecurity risk. There is a large and growing body of literature that addresses issues related to cybersecurity risk management. Given the pervasive impact of digital computer-based information systems on every conceivable discipline, the discussions on the topic of cybersecurity risk management vary widely. Indeed, these discussions have focused on such issues as defining cybersecurity risk [13], developing a taxonomy of cybersecurity risk [14, 15], developing a framework for cybersecurity risk management [8, 10, 16], information security policy [17, 18], and the economics of managing cybersecurity [19–25]. Of course, a comprehensive approach to cybersecurity risk management requires an understanding of all the issues noted above and therefore it is not surprising that many of the aforementioned references address several of the issues underlying cybersecurity risk management.

The emphasis of the analysis contained in this article is focused on the economics of cybersecurity risk management applied to the NIST Cybersecurity Framework. This focus is particularly relevant and timely due to the fact that the NIST Cybersecurity Framework has become one of the most widely accepted approaches to cybersecurity risk management among organizations in both the private and public sectors of the US economy. As noted in the Introduction of this article, US federal government agencies are required to use the NIST Cybersecurity Framework, and companies wanting to do business with these agencies need to approach cybersecurity risk management in a manner consistent with the NIST Framework. This framework has also been well-received among organizations in countries other than the US, as noted in the subsequent subsection.

NIST Cybersecurity Framework⁴

When President Trump issued EO 13800, the NIST Cybersecurity Framework became the law of the land for US federal government agencies and firms wishing to do business with these agencies. Since then, the impact of the NIST Framework has been expanding [26]. According to NIST (see: https://www.nist.gov/industry-impacts/cybersecurity), “Companies from around the world have embraced the use of the Framework, including JP Morgan Chase, Microsoft, Boeing, Intel, Bank of England, Nippon Telegraph and Telephone Corporation, and the Ontario Energy Board.” Many government agencies in countries other than the USA have also embraced the NIST Cybersecurity Framework.

The overall focus of the NIST Cybersecurity Framework is to assist organizations to carry out the process of cybersecurity risk management. The three major components of the Framework are the Core, Implementation Tiers, and Profiles. The Core consists of a set of cybersecurity activities that are intended to result in specific cybersecurity outcomes. These activities are specified in terms of the following five basic functions: Identify, Protect, Detect, Respond, and Recover. The Profiles refer to the “the alignment of the Functions, Categories and Subcategories with the business requirements, risk tolerance, resources of the organization” ([10], p.11). Profiles provide the required plan for reducing an organization’s cybersecurity risk.

The Framework’s Implementation Tiers summarize the way “… an organization views its cybersecurity risk and the processes in place to manage such risk” ([10], p. 8). Organizations can be at one of the following four-tier levels: Tier 1 (Partial), Tier 2 (Risk Informed), Tier 3 (Repeatable), and Tier 4 (Adaptive). As stated by NIST ([10], p. 8), “Ranging from Partial (Tier 1) to Adaptive (Tier 4), Tiers describe an increasing degree of rigor and sophistication in cybersecurity risk management practices.” In other words, the rigor and sophistication of an organization’s risk management process increase as it moves from Tier 1 toward Tier 4.

Organizations at Tier 1 (Partial) do not have a formalized integrated cybersecurity risk management process and tend to be reactive rather than proactive toward cyber risk management. In addition, organizations at Tier 1 tend to have little interaction with other firms and/or professional cybersecurity groups (e.g., an Information Sharing Analysis Center) concerning cybersecurity risk management. Organizations at Tier 2 (Risk Informed) tend to have a formal, loosely integrated, risk management process, but enforcement of the process as an organization-wide policy is lacking. Tier 2 organizations also tend to have limited interactions with other firms and/or professional cybersecurity groups concerning cybersecurity risk management.

Tier 3 (Repeatable) organizations have formal, integrative risk management processes, as well as formal channels of communication with other firms and professional cybersecurity groups concerning cybersecurity risk management. These organizations are proactive, as well as reactive, in terms of their cybersecurity risk management. Tier 4 (Adaptive) organizations also have formal, integrative risk management processes, as well as formal channels of communication with other firms and professional groups concerning cybersecurity risk management. In addition to the proactive and reactive approaches, Tier 4 organizations take an adaptive approach to cybersecurity risk management. Thus, these organizations are continuously monitoring changes in the cybersecurity threats confronting them and revising their recovery plans to accommodate these changes. The financial and operating implications of the requisite changes in the recovery plans are also explicitly considered by organizations at Tier 4.

The four Tiers associated with the NIST Cybersecurity Framework provide organizations with an overview of how to view their cybersecurity risk management process and what needs to be done to move to a higher tier. The Tiers also provide a vehicle for analyzing the financial commitments associated with an organization’s approach to cybersecurity risk management. As stated by NIST ([10], p. 15), “The tier selection process considers an organization’s current risk management practices, business/mission objectives, supply chain cybersecurity requirements, and organizational constraints.”

Although higher Tiers indicate a higher level of rigor and an increased level of sophistication of cybersecurity risk management, it does not necessarily follow that all organizations should strive to be at the highest Tier level. The benefits derived from reaching a higher Tier are not costless. In other words, there are clearly higher costs associated with moving to a higher Tier level. Thus, the appropriate Tier is organization-specific and dependent on the cost–benefit aspects of the cybersecurity risk management process for an organization. As NIST ([10], p. 8) clearly notes, “Progression to higher Tiers is encouraged when cost-benefit analysis indicates a feasible and cost-effective reduction of cybersecurity risk.” For small firms (defined in terms of revenues, employees, and online transactions), Tier 1 or 2 may be the right tier from a cost–benefit perspective. In contrast, large, publicly traded firms would likely want to reach Tier 3 or 4. The size distinction becomes apparent when one considers the fact that getting to Tier 3 or 4 would likely involve adding a large amount of fixed costs (e.g., hiring a Chief Information Security Officer in addition to a Chief Information Officer) that would likely to be too costly for a small firm.⁵

GL Model

NIST’s recommendation that organizations should consider the cost–benefit aspects of progression to a higher Tier level is essentially suggesting that organizations need some sort of economic model or framework to answer the following question: How much should be invested in cybersecurity risk management? One economic model that directly addresses this question and that has received wide acceptance among practitioners and academicians concerned with cybersecurity is the GL Model. In 2011, e.g., the GL Model was featured in The Wall Street Journal [27]. In discussing this Model, AFCEA International Cyber Committee [28] noted that “the Gordon-Loeb model has become the ‘gold standard’ in the cyber economic models.” The 2017 report by the US Council of Better Business Bureaus concerning issues surrounding cybersecurity in small businesses in North America concluded that the GL Model is a “useful guide for organizations trying to find the right level of cybersecurity investment” ([29], p. 20). In their game-theoretic analysis of how uncertainties related to cybersecurity risk affect cybersecurity investments, Fielder et al. ([30], p. 2) noted that “The seminal work of Gordon and Loeb presents an economic model that determines the optimal amount to invest to protect a given set of information.” Iannacone and Bridges ([31], p. 11), in their discussion of economic models focused on cost–benefit analysis of cybersecurity measures, referred to the GL Model as being “the most influential model.”⁶

The GL Model assumes that organizations are vulnerable to cybersecurity breaches (i.e., 100% security is not possible from a practical perspective) and this vulnerability (denoted as $v$⁠), is essentially the probability of a breach to an organization’s information.⁷ Since the GL Model is a one-period model, $v$ represents the probability of a breach over a fixed time period such as 1 year. The value of an organization’s information represents the potential monetary loss (denoted as $L$⁠) to the organization that could result from a cybersecurity breach. Thus, $vL$ represents the expected loss from a cybersecurity breach. However, investments in cybersecurity (denoted as $z$⁠), can reduce the probability of a beach and, in turn, the expected loss from a breach. The “security breach probability function” [denoted as $s(z,v)$] represents the revised vulnerability after some level of cybersecurity investment (⁠$z$⁠). Accordingly, there are three major components that underlie the GL Model: (i) the value of the information being protected, $L$⁠, (ii) the vulnerability (including threats) or probability that an organization’s information will experience a cybersecurity breach before any additional cybersecurity investments, $v$⁠, and (iii) the productivity function underlying the way investments in cybersecurity-related activities reduce the vulnerability that a cybersecurity breach will occur, $s(z,v)$⁠. A basic assumption of the GL Model is that, for a given $vL$⁠, the benefits derived from additional investments in cybersecurity (i.e., the reduction in expected loss from a cybersecurity breach) are increasing at a decreasing rate (i.e., $sz=∂sz,v∂z<0$ and $szz=∂2sz,v∂z2>0$⁠).

Since $e$ is equal to $2.7182$⁠, Gordon and Loeb [11] were able to show that organizations should generally invest less than $37%$ of the expected loss from a cybersecurity breach. In addition, they were able to show that the optimal level of cybersecurity investment does not always increase with the level of vulnerability.

The following four-step approach can be used to implement the GL Model.

Step 1: Estimate the value of the information being protected, which also represents the potential loss (⁠$L$⁠).

Step 2: Estimate the probability that the information will be breached (i.e., estimate the information’s vulnerability [$v$] to a successful attack).

Step 3: Combine the first two steps such that the expected loss is derived.

Step 4: Allocate cybersecurity investments to the information to be protected, based on the productivity of the investments and the cost of the investments (i.e., based on cost–benefit analysis).⁹

Integrating the GL Model into the NIST Framework

Concepts

The fundamental question addressed in the GL Model is: How much should be invested in cybersecurity? Deciding on the appropriate NIST Tier level utilizing cost–benefit analysis essentially requires answering the same question. Following Gordon and Loeb [11, 12], we denote the value of the information being protected as $L$⁠, the probability of a cybersecurity breach as $v$⁠, investment in cybersecurity as $z$⁠, and the security breach probability function as $sz,v$⁠. Consequently, the expected loss from a cybersecurity breach is equal to $vL$⁠.

The NIST Framework described in “Literature Review” section includes four Tiers, where the rigor and sophistication of an organization’s risk management process increase as the organization moves from Tier 1 to Tier 4. We denote the cybersecurity investment required to adopt Tier $i$ as $zTi$⁠, where $i=0, 1, 2, 3, 4$⁠, respectively.¹⁰ Since the level of investment in cybersecurity activities will have to increase as the rigor and sophistication of an organization’s risk management process increases (i.e., cybersecurity investments are an increasing function of the Tier level), for a given firm we can state that: $0=zT0<zT1<zT2<zT3<zT4$⁠.

We thus see that $L$ (i.e., the value of the firm’s information) is a critical element of a firm’s decision to move to a higher Tier.

Proof:

The Proposition shows that, for a specific $v$⁠, the value of the information must be sufficiently large for a firm to move to a higher Tier. The more valuable the information, the more likely that it is cost–beneficial for a firm to move to a higher Tier.

More generally, the above results show that a firm’s decision to move to a higher Tier level in the NIST Cybersecurity Framework, based on cost–benefit analysis, is dependent on $v$ and $L$ for a given security breach probability function. The firm’s optimal level of investment, denoted as $z*$⁠, depends on the nature of the security probability function at the initial vulnerability level, v. In particular, the value of $z*$depends on the productivity (effectiveness) of investments at the initial vulnerability level.¹¹

That is, if the value of the expected increase in benefits from added business from achieving the next highest Tier level is greater than the right-hand side of Equation (12), the firm is motivated to increase their investments in cybersecurity activities to achieve the next highest Tier level. Thus, the NIST Framework may be able to incentivize firms to increase their investment in cybersecurity.

Example

We now provide a numerical example of the above approach. In this example, we assume that $sz,v=v(1+z2)$⁠, which is one of the two security breach probability functions examined in Gordon and Loeb [11] and the one illustrated in Gordon et al. [12]. Accordingly, we can minimize the total expected costs $v(1+z2)L+z$ to obtain the optimal cybersecurity investment level (⁠$z*$⁠). It can be easily be shown that $z*=2vL-2$is the optimal cybersecurity investment value.¹²

For the purpose of this example, let us assume that $zT1=$0.1M, zT2=$1M, zT3=$3M$ and $zT4=$7M$⁠.

Table 1 presents the levels of optimal cybersecurity investment (⁠$z*$⁠), when $v=0.1$⁠,$0.3$⁠, or$0.5$ and $L$ ranges from $$1M$ to $$150M$⁠. When both $v$ and $L$ are small, e.g., $v=0.1$ and$L=$1M$⁠, the optimal investment in cybersecurity is $0$⁠, because the benefits from such investments do not outweigh the costs. As $v$ and $L$ increase in this example, the expected loss from a cybersecurity breach (⁠$vL$⁠) and the optimal investment amount (⁠$z*$⁠) also increase.

Figure 1 illustrates the information provided in Table 1. As can be seen from the figure, for a given $v$⁠, as $L$ increases, $z*$ also increases. It is also clear that the optimal investment levels generally fall between two different NIST Tier levels. In our example, the expected loss from a breach would have to be equal to, or greater than, $$40.5M$ (i.e., for $v=0.5, L≥$81M$⁠, for $v=0.3, L≥$135M$⁠, for $v=0.1, L≥$405M$⁠) to justify the firm investing $$7M$ to reach the NIST Tier 4 level of cybersecurity. Figure 2 illustrates the minimum level of $L$for different Tier levels, at $v=0.3$⁠.

Figure 1.

Open in new tabDownload slide

Optimal cybersecurity investments for different values of L and v, and NIST tier levels.

Figure 2.

Open in new tabDownload slide

Determining critical L in applying NIST framework.

In other words, if the firm estimates that achieving NIST Tier 4 would result in at least $$0.64M$ additional benefits, it should invest the $$7M$ to reach NIST Tier 4.

The values for $v$and $L$ in the example (i.e., $0.1, 0.3, 0.5$ for $v$⁠, and values between $$1M$ and $$150M$ for $L$⁠) were chosen for illustrative purposes. Of course, other values could have been selected. However, this example demonstrates the process by which a firm could conduct a simulation around different values of $v$ and $L$so as to provide a clearer picture of the appropriate NIST Tier level of cybersecurity for a firm.

The above example illustrates the fact that the appropriate cost-effective NIST Implementation Tier level for a firm is dependent on the same three major components that underlie the GL Model. More specifically, the cost-effective Tier level is dependent on: (i) the value of the information being protected (⁠$L$⁠), (ii) the vulnerability (or probability of a cybersecurity breach to that information [$v$]), and (iii) the productivity of the investments in cybersecurity activities $sz,v$⁠.

If budget constraints prevent an organization from spending the optimal amount for a given $vL$⁠, the organization may have to settle for less than its ideal Tier level (at least until additional funds could be allocated to cybersecurity activities). Resource constraints are particularly relevant for small businesses. In fact, based on its study of small businesses in North America, the Report by the Better Business Bureau ([29], p. 12) pointed out that the “…lack of resources is the number one challenge these businesses face in adopting cybersecurity practices.”

Concluding comments

Managing cybersecurity risk has taken center stage in organizations within the private and public sector of industrialized economies around the world. Indeed, in today’s interconnected digital world, managing cybersecurity risk has become a critical component of an organization’s enterprise risk management program. The NIST Cybersecurity Framework has been instrumental in providing a common language and approach for organizations to use as they strive to improve the way they manage cybersecurity risks.

An insightful aspect of the NIST Cybersecurity Framework is its explicit recognition that the activities associated with managing cybersecurity risk are organization-specific. NIST also recognized that organizations need to evaluate their cybersecurity risk management needs on a cost–benefit basis [i.e., “…prioritize investments to maximize the impact of each dollar spent” ([10], p. 2)]. The NIST Cybersecurity Framework does not, however, provide guidance on how to carry out the above-noted cost–benefit analysis.

The objective of the analysis contained in this article has been to provide an approach for integrating cost–benefit analysis into the NIST Cybersecurity Framework. The focus of this integration has been on using the GL Model [11, 12] for cybersecurity investments as a basis for deriving a cost-effective level of spending on cybersecurity activities and selecting the NIST Implementation Tier level based on this cost-effective spending level. Specifically, it was shown that the GL Model provides a logical approach to use when considering the cost–benefit aspects of cybersecurity investments during the process of selecting the most appropriate NIST Implementation Tier level for an organization. In fact, it was shown that the cost-effective NIST Implementation Tier level for a firm depends on the same three major components that form the basis of the GL Model: (i) the value of the information being protected, (ii) the vulnerability (or probability) of a cybersecurity breach to that information, and (iii) the productivity of the investments in cybersecurity activities. If additional benefits from achieving a higher NIST Implementation Tier were available, then an organization would be incentivized to consider moving to a higher Tier. Although not a panacea, combining the GL Model with the NIST Cybersecurity Framework could go a long way toward facilitating NIST’s recommendation that cost–benefit analysis be used in decisions about an organization’s appropriate Implementation Tier level.

As organizations gain more experience with the NIST Cybersecurity Framework, it seems natural to expect best practices to emerge. It is important, however, for these best practices to incorporate the cost–benefit aspects of implementing the NIST Framework. It is hoped that the analysis provided in this article will help to identify these best practices from a cost–benefit perspective.

Footnotes

Acknowledgements

We thank Gerald Ward, Victoriya Zotova, two anonymous referees, and the editors for their comments on an earlier version of this article.

References