Maximizing ROI in Cybersecurity: Why Data-Driven Control Selection Matters

IT Engineers and Technician discussing technical problem in server room with data connection visual effect .

A new article by Woods and Seymour (2024) in the Journal of Cyber Policy provides a refreshing approach to the identification and establishment of appropriate cybersecurity policies. The article, titled “Evidence-based cybersecurity policy: A meta-review of security control effectiveness,” evaluates the effectiveness of cybersecurity policies and controls over a ten-year period. The literature included in their meta-analysis only included studies based on empirical evidence that investigated the statistical relationship between security controls and firm-level cyber risk outcomes in the real world. The following table lists the studies included in the meta-analysis.

The key findings can be summarized as follows:

  1. Attack Surface Management: Consistently emerged as the strongest predictor of cyber incidents across studies. This encompasses various hardening measures and system configuration practices.
  2. Patch Cadence: Ranked as the second most effective intervention. The speed at which security patches are applied significantly impacts an organization’s cyber risk profile.

Multi-Factor Authentication (MFA): Showed high efficacy for individual account protection (99% risk reduction for Microsoft Azure AD accounts), but its effectiveness varied when implemented organization-wide.

Cloud vs. On-Premises Email: Organizations using cloud-hosted email services experienced lower claim frequencies compared to those with on-premises Exchange servers.

VPN Providers: Specific VPN providers were associated with significantly higher rates of compromise, highlighting the importance of vendor selection.

Monitoring Activities: While not as impactful as hardening and patch management, various types of monitoring were associated with reduced claims costs.

Sun breaking at the edge of the earth
  1. Focus on Processes Over Products: The evidence suggests that how controls are implemented matters more than which specific products are used. This emphasizes the importance of proper configuration and maintenance.
  2. No Silver Bullets: The review found little evidence supporting the efficacy of off-the-shelf security solutions. Instead, it highlights the importance of system configuration and maintenance.
  3. Secure-by-Design Approach: The findings support the idea that secure-by-design principles are more effective than bolt-on security solutions.
  4. Risk-Based Decision Making: The evidence suggests that policy measures mandating specific controls are unlikely to result in significant risk reduction. Instead, organizations should be supported in making risk-based decisions.
  1. Causality Issues: Most studies established correlations rather than causal relationships between controls and outcomes.
  2. Measurement Challenges: Many studies relied on externally observable data, potentially missing the impact of internal controls.
  3. Historical Validity: The evolving threat landscape may limit the applicability of past findings to future risks.
  4. Data Availability: Improving public access to cybersecurity incident data could enhance future research and policy formulation.

For cybersecurity specialists, this meta-review underscores the importance of focusing on fundamental security practices like attack surface reduction and efficient patch management. It also highlights the need for continuous evaluation of security measures in light of emerging threats and changing IT landscapes.


Reference:

Woods, D. W., & Seymour, S. (2024). Evidence-based cybersecurity policy? A meta-review of security control effectiveness. Journal of Cyber Policy. Advance online publication. https://doi.org/10.1080/23738871.2024.2335461

author avatar
Jane Ginn CTIN President & Co-Founder
Jane Ginn ~ As the co-founder of the Cyber Threat Intelligence Network (CTIN), a consultancy with partners in Europe, Ms. Ginn has been pivotal in the development of the STIX international standard for modeling and sharing threat intelligence. She currently serves as the Secretary of the OASIS Threat Actor Context Technical Committee, contributing to the creation of a semantic technology ontology for cyber threat actor analysis. Her efforts in this area and her earlier work with the Cyber Threat Intelligence (CTI) TC earned her the 2020 Distinguished Contributor award from OASIS. In public service, she advised five Secretaries of the US Department of Commerce on international trade issues from 1994 to 2001 and served on the Washington District Export Council for five years. In the EU, she was an appointed member of the European Union's ENISA Threat Landscape Stakeholders' Group for four years. A world traveler and amateur photojournalist, she has visited over 50 countries, further enriching her global outlook and professional insights. Follow me on LinkedIn: www.linkedin.com/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=janeginn
Translate »