Cybersecurity Cost Estimating: How Do You Estimate the Cost of Something You Haven’t Observed?

Cybersecurity cost estimating. How do you begin? Organizations spent an estimated $169 billion on cybersecurity in 2022 and that number is forecast to increase significantly. More than 70% of security professionals surveyed said they anticipated an 11% increase in cybersecurity budgets for 2023.

Compare that to the damage done by threat actors. U.S. financial institutions lost nearly $1.2 billion in ransomware attacks in 2021, and that’s just one industry sector. Globally, cybercrime is predicted to be responsible for more than $8 trillion in losses.

As sophisticated cyber actors continue to evolve, most organizations’ capabilities are not adequately tested. This creates unknown security gaps that can put your organization at risk. Understanding these gaps is crucial to protecting your assets, but it can be challenging to know where to spend your dollars most effectively and whether you are truly prepared for events that have yet to occur.

Just because a cybersecurity incident hasn’t happened to your organization yet doesn’t mean it won’t. But how do you calculate the cost of something that you haven’t observed and how do you assess risk?

Estimate the Cost of Something that Hasn’t Occurred – An Example

Let’s look at a situation where you are trying to figure out how to assess risk for an event that hasn’t happened in your organization. You ask one of your colleagues how long they’ve worked there and if they have ever seen an occurrence. Let’s say they responded that they’ve been at the company for eight years and have never seen this type of event.

If that was your only source of information and you made a conservative assumption about the prior state, those eight years of individual observations only tell you it hasn’t happened yet. However, such an event is always possible.

The Rule of Three

The Rule of Three is a common formula used in risk assessment for calculating rare or unknown events. It’s a simple formula where you divide 3 by the number of observations over the period where an event hasn’t occurred. Knowing that eight years have passed with no occurrences, the rule of three would tell us that we can estimate with 95% confidence that the risk is between 0 and 3/8 or 37.5%.

In practical application, you would want n (the observed times) to be greater than 30. So, let’s say instead the person has worked there for 30 years. In that case, the rule of three would say with 95% confidence that the risk is between 0 and 3/30 or 10%.

Still, this can be misleading due to the lack of data. If you were trying to calculate the risk of a rare event happening at your company, for example, it might lead you to overstate the threat. To get a better assessment, you need more data.

Expanding the Reference Class

While you started with a reference class of your organization’s experience, you likely know things about your industry. For example, maybe you are aware of a recent trend that indicates this particular type of event has been occurring more frequently in the past two years than it has over the previous six.

So, instead of looking back eight years, you narrow the window to two years. At the same time, instead of just looking at your company, you look at 100 companies. Now, you have 200 years’ worth of observation (2 x 100). If an event happened twice out of 200 company years, the rule of three would tell us with 95% confidence that the risk is between 0 and 3/200 or 1.5%.

As you can see, the more data points you have, the more accurate your assessment will be. For rare events, you want to use a larger reference class to get a more realistic assessment of risk.

Cybersecurity Cost Estimating

SightGain’s threat exposure management platform can help you assess risk and quantify the effectiveness of your investments with real-world data.

By continuously testing and improving your cybersecurity posture, you can prove — and improve — your cybersecurity readiness. Rather than relying on the rule of three to assess risk, SightGain operationalizes threat intelligence to identify how your organization would fare against actual threats. Instead of using statistical estimates, you get hard data with real-world performance metrics and live-fire testing.

Not only will this help you continuously improve your security posture, but it provides empirical data about your ability to stop current threats and justify your security spending. By validating your security posture, you can:

  • Identify performance gaps in technology, processes, and staff.
  • Verify blocking, detecting, alerting, and correlation.
  • Document the accuracy and timeliness of analytics.
  • Implement an automated system to continuously monitor and improve cybersecurity readiness.

SightGain’s Cybersecurity Risk Analysis software can more accurately quantify risk exposure, find defensive gaps, and deliver the roadmap you need to improve performance.

Stop guessing and start defending. Schedule a demo with one of our security experts today.