BLUF – The reason to develop operational metrics is to underpin resource allocation discussions. Preventative measures do not yet have solid metrics. We need to change our measures for meaningful conversations around resource allocation. This post introduces the Cost of Operational Impact Metrics (COIM).

Background

The last post talked about common conversations held between information/ cyber security and the business in regard to resource allocation. Certainly a wanting conversation – cyber often refers to average costs of incidents (which have not happened to the organisation) as a savings or loss mitigation.* Understandably the business has doubts and concerns, especially when stacked against other resource requirements with concrete metrics to measure against.

No one is saying there isn’t value to cyber security. They simply don’t know what the value is. And they are reluctant to provision a portion of limited resources for loss mitigation of infinity+1.

It’s a given we don’t want a major breach or incident. No one does. The whole not-if-but-when argument aside, the business likely will not understand what resources to mark against the unmaterialised threat. As such decision-makers will not provision money past a certain amount. Unlike in years past, cyber divisions will have to fight for resources, creating Cypartan’s dilemma. This measurement is intended to help make the case. When the cyber security function is reasonably established, business will need to measure against understood costs.

The solid resource tie-backs are:

• (T)ime – how long does it take to complete a task
• (L)abour – how many people are required to conduct the activity
• (M)oney – how much are we paying these people to do this, and if there are other incident specific expenditures.

Multiplying TLM = Cost of Operational Impact Metric (COIM). This is the basis for measuring anything from a resource standpoint.

For example, lets talk about one of my recent personal endeavours – the sugary goodness of dehydrated citrus (ok, commentary aside – have you seen the cost of peels?). The cost of dried oranges at the store is $7 for the sliced equivalent of one orange. A bag of eight oranges is $4 (fractional M, as we want the equivalent). I’ve a dehydrator already (sunk cost, so has no bearing on the metric) and it takes me (and only one me for L) about two minutes (T) to slice an orange at about $1.25 per minute (M). We are looking at $3 for me to do it myself for the same as what’s sold – with at least a three-day downtime for the slices to get to similar consistency.

Now, the trouble is relative demand. Do I just like them? If so, I can have a steady diet of candied citrus goodness drying at any given time. Do I need them? Well, I may need to go just buy them.

Now – do I recommend we measure every component for cyber operations/ incidents like this? Yes and no.

If you are tracking a metric with recurrence – number of times phishing emails got through the defences, for example – is an activity associated within your cyber security operations? If so, can you track the COIM on enough examples to associate a baseline average? After doing it 20/ 30/ 100 times, we established the COIM for phishing infiltration to be x. Now we can assess how much it costs to deal with this issue. If they click on a phishing email link, we can establish the incident COIM. In aggregate, we find the average, we add in the training atop the remediation, and you can start to have a very real picture of what it costs the organisation in relation to the vendor offerings for a service.

Money and labour are easy to track, but what about time? This is where your ticketing systems (salesforce/ JIRA etc.) come into play. You can see how much time each station spent in response to a particular facet of the activity and the activity overall.

COIM is the basis of what we will talk about in the next part of this series, applying it in a manner giving us a better depiction to use in allocation discussions.

-scl

*Loss mitigation translates to non-practitioners as what-you-are-not-having-to-pay-for-because-we-saved-you-from-it, which seems rather imaginary. Because honestly, it is.