Stories‎ > ‎

The Cyber Security Ratio

posted Mar 30, 2017, 2:42 AM by Michael Lenart   [ updated Apr 20, 2017, 5:15 PM ]

By Daniel Cahill

 

Introduction

 

Governments and private firms spend significant amounts of their budgets on cyber security to ensure confidentiality, integrity, availability of data, and to limit liability. How much is enough? How do private firms compare to each other and how do they compare to governments and government agencies? These questions are difficult to answer because there are neither baselines nor standards. Current accounting practices and analysis consider cyber security expenses as a percentage of overall expenses. This method, however, misses the mark for two reasons. First, there is no standardization for cyber security requirements and therefore no baseline from which comparisons can be made. Second, it does not consider the value of the transactions and assets exposed to cyber threats. The Cyber Security Ratio allows for a fairer comparison across sectors by assigning a value to what is being protected and then comparing that value to what is being spent on cyber security.


Background


The U.S. Department of Defense (DoD) utilizes multiple computer networks to conduct its daily operations; the two primary networks are SIPRNET and NIPRNET. Both SIPRNET and NIPRNET utilize the worldwide web (internet) to exchange information, the difference being that NIPRNET can actually send information and receive information/data from the Internet whereas the SIPRNET merely utilizes the NIPRNET/Internet as a means to securely tunnel encrypted information. No information/data originating from the Internet enters or leaves the SIPRNET network or vice versa. Furthermore, SIPRNET terminals are only connected to the SIPRNET, so there is no other method for data to move onto or off the system. In theory SIPRNET is inherently secure, with all of its contents being encrypted.1,2

 

The SIPRNET concept eliminates a vast majority of problems associated with network security as no unencrypted data is ever exposed to the Internet and the terminals themselves are fully shielded from the Internet. There is very little risk of data being compromised or malicious code being introduced directly from the Internet. The only real risk, aside from an insider threat, is denial of service. The additional, minimal expense with SIPRNET involves encrypting data at the point where data leaves the local network and decrypting data where data enters the network.

 

The NIPRNET is more like a typical business network and exposed to the same risks.  The cost of securing this network should be similar to that of any other network. In fact, an argument could be made that a typical firm is required to store and transmit all of its data in a manner that exposes it to the internet, whereas the Department of Defense has the option to transmit and store much of its sensitive data on SIPRNET.

 

Virtually every firm engaged in business utilizes the Internet in some way, shape, form, or manner, and very few firms utilize the “encrypted tunneling” technique in the way that DoD does. That is, very few firms use terminals that cannot send or receive data from the Internet. Considering this, how do these firms secure their data and networks? In government terms, a vast majority of these private firms utilize commercial off the shelf (COTS) solutions.



In order to determine the proper amount to spend on cyber security, the most important question is: How “sensitive” is the data being secured? The second question to ask is what is the threat? The answer to the first question is the foundation (or denominator) for the Cyber Security Ratio (alternately referred to as the Cahill Ratio/Number). There are five methods that can be used to accomplish this, all of which involve 1) assigning a dollar value to what is being secured, and 2) equating a dollar value to determine sensitivity. Once the value of what is being secured is determined, it can be compared to the expense of protecting it, which is the annual cyber security budget (the numerator of the cyber security ratio).

The Cyber Security Ratio can therefore be calculated as follows:

(Annual Cyber Security Budget/Annual Value of Assets and or Transactions Exposed to the Internet) x 10,000

 

These methodologies will be demonstrated and discussed below in the “Examples” section using data reported in financial disclosures from some well-known financial firms and the U.S. government.


The answer to the second question, “What is the cyber threat?”, is that all entities, government and private, face very similar threats and therefore no correction factor has to be applied to account for difference in risk. Most insurance policies/underwriting have an exception for war, meaning it is possible to insure a civilian airliner but not military aircraft. However, in the realm of cyber warfare there is no distinction between civilian and military. All entities are targets, including state/government functions and private enterprise.

 

Examples

 

The first method for calculating the Cyber Security Ratio (CSR) equates the value or sensitivity of the data to the annual expenses of the firm.

 

The U.S. Department of Defense (DoD)

Budget for 2015: 560 Billion USD3                                 ($560,000,000,000)

Cyber Security Budget for 2015:  4.7 Billion USD4         ($4,700,000,000)

CSR = 4,700,000,000/560,000,000,000 x 10,000   =     83.93

 

JP Morgan Chase (JPM) 2014-2015

Expenses for 2014:  61 Billion USD5                              ($61,000,000,000)

Cyber Security Budget for 2015:  250 Mil USD6             ($250,000,000)

CSR = 250,000,000/61,000,000,000 x 10,000         =    40.98

 

Bank of America (BAC) 2014-2015

Expenses for 2014:  75 Billion USD7                              ($75,117,000,000)

Cyber Security Budget for 2015:  400 Mil USD8             ($400,000,000)

CSR = 400,000,000/75,117,000,000 x 10,000         =    53.25

 


  

 

The above calculations demonstrate that spending on cyber security as compared to expenses varies significantly between the two financial services firms. Bank of America's CSR exceeded JP Morgan Chase's by 29.93%. This difference is significant because if one assumes other expenses are relatively similar, then the difference in cyber security expenses has a significant impact on net income. In the case of Bank of America, whose net income was $8.3 billion in 2014, this cyber security expense was 5% of its net income.

 

When we compare cyber security spending in the financial services sector to the U.S. Department of Defense, we see that DoD’s spending on cyber security as compared to expenses is 104.79% greater than JP Morgan Chase’s and 57.61% more than Bank of America’s. These numbers are well outside the realm of differences seen within the financial services industry and suggest DoD is over spending on cyber security – at least from the perspective of overall expenses.

 

A challenge of this method is that expenses may not accurately represent the value of the data that is being protected, particularly for firms who manage a large amount of assets. Using data from the aforementioned entities (and sources), we see that there is little correlation even within the financial services sector between expenses, assets managed (held), and shareholders’ equity (net assets). Bank of America’s expenses versus assets held is 50% greater than that of JP Morgan Chase. Bank of America’s expenses versus shareholders’ equity is still 20% more than that of JP Morgan Chase.

 

The second method is to measure the value of the firm in terms of either shareholders' equity or market capitalization. In the case of the Department of Defense, this would be the same as assets because for all intents and purposes DoD owns its assets outright. This only makes sense if you believe the total losses of a company are limited to shareholders’ equity and you disregard the loss of assets and/or liabilities.

 

The U.S. Department of Defense (DoD)

Total Assets for 2015: 2.3 Trillion USD9                      ($2,292,137,000,000)

Cyber Security Budget for 2015:  4.7 Billion USD10    ($4,700,000,000)

CSR = 4,700,000,000/2,292,137,000,000 x 10,000 = 20.50

 

JP Morgan Chase (JPM) 2014-2015

Shareholder’s Equity for 2014:  232 Bil USD11           ($232,065,000,000)

Cyber Security Budget for 2015:  250 Mil USD12        ($250,000,000)

CSR = 250,000,000/232,065,000,000 x 10,000      = 10.77

 

Bank of America (BAC) 2014-2015

Shareholder’s Equity for 2014:  243 Bil USD13           ($243,471,000,000)

Cyber Security Budget for 2015:  400 Mil USD14        ($400,000,000)

CSR = 400,000,000/243,471,000,000 x 10,000      = 16.43


 

 

 

Using the Shareholder’s Equity method we see that the Bank of America spends 52% more than JP Morgan. The Department of Defense spends 90% more than JP Morgan and 25% more than Bank of America. Again, we see that Bank of America is spending significantly more than JP Morgan and that DoD is spending significantly more than JP Morgan and marginally more than Bank of America.

 

Many, if not most, accountants consider the maximum loss as something similar/equivalent to shareholders’ equity. Any suggestion of considering the maximum loss as being total assets would be dismissed as unrealistic because you can’t take any more from a firm than shareholders’ equity (Shareholders’ Equity = Total Assets – Total Liabilities). This firm-centric perspective is dangerous because it dismisses the potential loss of assets held on behalf of the client. To put it simply, you can steal vastly more from a bank than the value of shareholders equity; this is a fact. And the Federal Deposit Insurance Corporation (FDIC) does not cover losses that result from theft or fraud. The next method will take this possibility into consideration.

 

The third method is to consider the total assets of the firm, whereas the value of the data is the value of the total assets held by the firm. Using total assets makes sense if one believes the ultimate or most catastrophic loss is a loss of all of the firm’s assets rather than “net assets” or shareholders’ equity.

 

The U.S. Department of Defense (DoD)

Total Assets for 2015: 2.3 Trillion USD15                     ($2,292,137,000,000)

Cyber Security Budget for 2015: 4.7 Billion USD16      ($4,700,000,000)

CSR = 4,700,000,000/2,292,137,000,000 x 10,000 =  20.50

 

JP Morgan Chase (JPM) 2014-2015

Total Assets for 2014: 2.6 Trillion USD17                     ($2,570,000,000,000)

Cyber Security Budget for 2015: 250 Mil USD18              ($250,000,000)

CSR = 250,000,000/2,570,000,000,000 x 10,000 =    0.97

 

Bank of America (BAC) 2014-2015

Total Assets for 2014: 2.1 Trillion USD19                     ($2,100,000,000,000)

Cyber Security Budget for 2015: 400 Mil USD20          ($400,000,000)

CSR = 400,000,000/2,100,000,000,000 x 10,000 =    1.90

 

 

 

 

The aforementioned calculations demonstrate that even when considering total assets managed (or assets at risk), the results are highly disparate. Using this method, we see that Bank of American spends 95.81% more on cyber security than JP Morgan. When comparing Bank of America to DoD in this manner, we find that DoD spends a staggering 10 times or 976.51%  more on cyber security. When comparing DoD to JP Morgan Chase in this manner, DoD is spending a similarly staggering number of 20 times or 2,007.90% more. I believe this calculation most accurately represents the true picture of what is being spent on cyber security and also highlights the most excessive disparities between the Department of Defense’s spending and the spending of financial services firms. Again, the threats encountered by both are the same and both have similar assets to lose, yet some are spending drastically more than others.

 

The fourth way to measure value of the data is to measure the actual value of the transactions that take place across the network. An argument can certainly be made that this is what’s truly at risk for a firm above and beyond any other number presented above (at least from a cyber security perspective). Certain sectors, such as the financial services sector, deal with transactions that far exceed their expenses or even the value of their companies. An excellent example of this is the New York Stock Exchange (NYSE), which executed transactions in excess of 11 trillion dollars in 2015.21 Yet, the parent company Intercontinental Exchange (ICE) had expenses of approximately 1.6 billion dollars, assets totaling 50 billion, and shareholders’ equity of 12 billion.22 This fourth manner is the one that presents the most challenges, as most firms do not publicly report the actual value of transactions that take place across their networks. Furthermore, estimates based on required disclosures would be difficult because many values are reported as “net values,” which negates the ability to estimate the value of actual transactions. All of this makes it extremely difficult to ascertain the CSR using this methodology. Additionally, the value of transactions does not necessarily represent the number of transactions taking place, which would be important because every time a transaction crosses the Internet, there is a risk of compromise. 

 

The fifth method would involve a combination of the first four methods. Perhaps a starting point would be sum of assets, value of transactions, and market capitalization/shareholders equity.

 

Challenges

 

Challenge #1: The most fundamental challenge with utilizing the CSR is a lack of data as most firms (and the government) are not willing to report all aspects of their cyber security spending. Most firms are afraid of the consequences of being deemed irresponsible regarding budget allocation for cyber security. Similarly, the federal government has funding mechanisms designed to obfuscate true spending. 

 

Challenge #2: Assigning a value that truly represents what is being protected. What is the price or cost of losing a client’s personal data/identity data? What if the client’s available credit is $100,000 versus $5,000? What is the firm’s reputation worth?

 

Challenge #3: How much spending is enough? If 50% more in spending only provides 5% more security, is that spending worth it? Related to the challenge of assigning a value is how can risk be measured if what is being protected does not have an objective, accurate, designated value?

 

Challenge #4: How much cyber security related information is the U.S. Department of Defense sharing with the private sector? Is it being shared equally? How much is the private sector benefiting from this sharing and what would the dollar value be to this support? A corollary of this is if U.S. firms operating in the EU are exposed in Europe, does that mean that the U.S. Department of Defense will share DoD derived information from their program with non-U.S. entities? Will the U.S. fund worldwide cyber security efforts by sharing the information derived from its cyber security programs? Where would the U.S. draw line in sharing cyber threat information?

 

Challenge #5: As discussed above – what is the threat, because without knowing the threat, it is difficult to assess risk. The threat faced by firms is the same threat faced by government and militaries, therefore an accurate assessment of the absolute threat is necessary to determine what cyber security measures must be taken. Basically, if it is determined that U.S. Department of Defense networks face threat “x,” then all networks worldwide would face the same threat.

 

Conclusions

 

Use of the CSR to compare financial services firms has identified significant differences across the sector. What does this mean? Most managers ask the following two questions: What does is cost? How much will it save? (Or how much income will it generate?) In the case of cyber security, the answers to those questions are apparently ambiguous. Rating agencies and actuaries have had a difficult time assessing risks and threats, particularly as they apply to cyber threats and financial services firms in general. Also, as discussed above, underwriters are not in the business of underwriting risks associated with war and cyber threats are a result of warfare – cyber warfare. Therefore, at this point, the proper amount to spend on cyber security are the best estimates of those directly involved/invested. As cyber security risks become underwritten, standards will be developed and enforced by insurers and/or government regulators/regulations; in the meantime, these expenditures appear to be rather arbitrary. The above notwithstanding, it does appear that either the U.S. Department of Defense is spending too much on cyber security or financial services firms are spending too little. It is also quite possible that Bank of America is spending too much on cyber security and JP Morgan Chase is spending too little. Regardless, it is difficult to conclude that each of the entities considered above is spending the proper amount on cyber security.

 

Perhaps most importantly regarding the Department of Defense, it has always been difficult to assign a value to national security. The U.S. Department of Defense is not only securing itself, but is securing the entire nation. That said, as we’ve identified above, there are many firms, like the New York Stock Exchange (NYSE), that are securing vastly more than their own value (net assets and/or shareholders equity). I would venture to say that in a similar manner, the value of the daily transactions across the network of financial services firms are much greater than the value of their assets. So perhaps the argument that the Department of Defense is securing the entire nation is moot OR there is a dollar value to assign to the support being provided to firms by the U.S. Department of Defense. If the latter is true, then dollar value for the support provided by DoD can then be added to what firms are spending and/or subtracted from the cyber security spending by foreign entities (and perhaps domestic as well) not protected by the U.S. Department of Defense.

 

Furthermore, unlike financial services firms, the Department of Defense has the SIRPNET to secure much of its sensitive information. I would offer that the cost of maintaining this SIPRNET is vastly less than the difference between what DoD is spending on cyber security versus financial services firms. Considering this assumption, what would be the value of the remaining information left on the NIPRNET? Perhaps the best way for DoD to secure its NIPRNET is with COTS technology that would be more in line with what financial firms are utilizing. 

 

Epilogue

 

Both firms and governments need a balanced approach to cyber security spending to ensure confidentiality, integrity, and availability of data, and to limit liability. The most efficient approach to spending is usually spending in a manner that provides the most absolute gain. As discussed in challenge number 3, if 50% more in spending only provides a 5% increase in security, is that spending worth it? If our adversaries (or other firms) are obtaining a 90% solutions by spending half as much, how should that affect our spending? From a national security perspective, if our adversaries are removing their “sensitive” networks from the internet, essentially precluding a data compromise, does that negate the need for traditional cyber security for those networks? What would be the true cost of total compromise of the DoD’s NIPRNET? Is DoD placing too much sensitive data on the NIPRNET and not enough on the SIPRNET? Again, hopefully the CSR will assist firms, government policymakers, and underwriters in developing the most appropriate courses of action.

 

 


About the Author

Daniel Adams Cahill is a Commander in the Navy Reserve, where he supports the Naval Inspector General. He holds a Bachelor's Degree in Marine Engineering, with a concentration in Nuclear Engineering, from the United States Merchant Marine Academy. He earned graduate certificates in International Relations and in Business from Columbia University, where he focused on applying business principles to military strategy and foreign policy.


 

End Notes


1. “Secret IP Data”. Defense Information Services Agency. http://www.disa.mil/Network-Services/Data/Secret-IP.  Accessed 24 Mar 2017.


2. “Using the SIPRNET”. Defense Human Resources Activity. U.S. Department of Defense.  http://www.dhra.mil/perserec/osg/s1class/siprnet.htm. Accessed 12 Mar 17.


3. “ UNITED STATES DEPARTMENT OF DEFENSE FISCAL YEAR 2016 BUDGET REQUEST”. Comptroller – U.S. Department of Defense. http://comptroller.defense.gov/Portals/45/Documents/defbudget/fy2016/FY2016_Budget_Request_Overview_Book.pdf. Accessed 12 Mar 17.


4. Sternstein, Aliya. “The Military’s Cybersecurity Budget in 4 Charts”. Defense One. http://www.defenseone.com/management/2015/03/militarys-cybersecurity-budget-4-charts/107679/. Accessed 12 Mar 17.


5. “JPMORGAN CHASE & CO (Filer) CIK: 0000019617” (JP Morgan 10-K. 2015). JP Morgan Chase & Co. http://www.sec.gov/cgi-bin/viewer?action=view&cik=19617&accession_number=0000019617-15-000272&xbrl_type=v#. Accessed 12 Mar 17.


6. Glazer, Emily. “J.P. Morgan CEO: Cybersecurity Spending to Double”. Wall Street Journal, http://www.wsj.com/articles/j-p-morgans-dimon-to-speak-at-financial-conference-1412944976. Accessed 12 Mar 17.


7.  BANK OF AMERICA CORP /DE/ (Filer) CIK: 0000070858” (Bank of America 10-K, 2015). http://www.sec.gov/cgi-bin/viewer?action=view&cik=70858&accession_number=0000070858-15-000008&xbrl_type=v#. Viewed 12 Mar 17.


8. O’Daniel, Adam. “Moynihan: BofA's cyber security given unlimited budget 'to keep us safe'”. Charlotte Business Journal.  http://www.bizjournals.com/charlotte/blog/bank_notes/2015/01/moynihan-bofas-cyber-security-given-unlimited.html.  View 12 Mar 17.


9. “AGENCY FINANCIAL REPORT, FISCAL YEAR 2015”.  U.S. Department of Defense. http://comptroller.defense.gov/Portals/45/Documents/afr/fy2015/3-Financial_Section.pdf.  Viewed 12 Mar 17.


10. Sternstein, Aliya. “The Military’s Cybersecurity Budget in 4 Charts”. Defense One. http://www.defenseone.com/management/2015/03/militarys-cybersecurity-budget-4-charts/107679/. Accessed 12 Mar 17.


11.  JPMORGAN CHASE & CO (Filer) CIK: 0000019617” (JP Morgan 10-K. 2015). JP Morgan Chase & Co. http://www.sec.gov/cgi-bin/viewer?action=view&cik=19617&accession_number=0000019617-15-000272&xbrl_type=v#. Accessed 12 Mar 17.


12. http://www.wsj.com/articles/j-p-morgans-dimon-to-speak-at-financial-conference-1412944976


13. “BANK OF AMERICA CORP /DE/ (Filer) CIK: 0000070858” (Bank of America 10-K, 2015). http://www.sec.gov/cgi-bin/viewer?action=view&cik=70858&accession_number=0000070858-15-000008&xbrl_type=v#. Viewed 12 Mar 17.


14. O’Daniel, Adam. “Moynihan: BofA's cyber security given unlimited budget 'to keep us safe'”. Charlotte Business Journal.  http://www.bizjournals.com/charlotte/blog/bank_notes/2015/01/moynihan-bofas-cyber-security-given-unlimited.html.  View 12 Mar 17.


15. “AGENCY FINANCIAL REPORT, FISCAL YEAR 2015”.  U.S. Department of Defense. http://comptroller.defense.gov/Portals/45/Documents/afr/fy2015/3-Financial_Section.pdf.  Viewed 12 Mar 17.


16. Sternstein, Aliya. “The Military’s Cybersecurity Budget in 4 Charts”. Defense One. http://www.defenseone.com/management/2015/03/militarys-cybersecurity-budget-4-charts/107679/. Accessed 12 Mar 17.


17. “JPMORGAN CHASE & CO (Filer) CIK: 0000019617” (JP Morgan 10-K. 2015). JP Morgan Chase & Co. http://www.sec.gov/cgi-bin/viewer?action=view&cik=19617&accession_number=0000019617-15-000272&xbrl_type=v#. Accessed 12 Mar 17.


18. Glazer, Emily. “J.P. Morgan CEO: Cybersecurity Spending to Double”. Wall Street Journal, http://www.wsj.com/articles/j-p-morgans-dimon-to-speak-at-financial-conference-1412944976. Accessed 12 Mar 17.


19. “BANK OF AMERICA CORP /DE/ (Filer) CIK: 0000070858” (Bank of America 10-K, 2015). http://www.sec.gov/cgi-bin/viewer?action=view&cik=70858&accession_number=0000070858-15-000008&xbrl_type=v#. Viewed 12 Mar 17.


20. O’Daniel, Adam. “Moynihan: BofA's cyber security given unlimited budget 'to keep us safe'”. Charlotte Business Journal.  http://www.bizjournals.com/charlotte/blog/bank_notes/2015/01/moynihan-bofas-cyber-security-given-unlimited.html.  View 12 Mar 17.


21. “ Daily NYSE Group Volume in NYSE Listed, 2017”.  The New York Stock Exchange. http://www.nyxdata.com/nysedata/asp/factbook/viewer_edition.asp?mode=table&key=3141&category=3.  Viewed 12 Mar 17


22.  Intercontinental Exchange, Inc. (Filer) CIK: 0001571949” (NYSE Parent Company 10-K).  Intercontinental Exchange, Inc. http://www.sec.gov/cgi-bin/viewer?action=view&cik=1571949&accession_number=0001571949-15-000003&xbrl_type=v#.  Viewed 12 Mar 17.


Photo credit: globalknowledge.com