Justifying Threat Emulation By The Numbers
Today, businesses face the daunting task of not only defending against a myriad of cyber threats but also justifying investments in their cybersecurity programs. SCYTHE, a cutting-edge cyber attack simulation platform, offers a unique solution by enabling organizations to quantify the overall reduction in business risk and the return on investment (ROI) through comprehensive threat insight.
This blog delves into how SCYTHE can be used to shorten timelines necessary to understand and mitigate vulnerabilities throughout the cyber kill chain, provide deep insights into threat exposure, and ultimately demonstrate the tangible value of cybersecurity initiatives.
The cyber kill chain concepts, such as Lockheed Martin’s 7-stage Cyber Kill Chain (reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives) or SCYTHE’s 3-stage BAM model (reconnaissance, initial access, and post-access actions) are critical frameworks in cybersecurity. These frameworks outline the stages of a cyber attack from the initial reconnaissance to the final actions on objectives. By understanding each stage security teams can better identify and disrupt cyber attacks.
SCYTHE allows teams to simulate attacks at each stage of the kill chain, giving a unique vantage point into an attacker's possible pathways and techniques. This not only helps identify vulnerabilities at each stage but also aids in deploying specific countermeasures effectively.
One of the core features of SCYTHE is its ability to emulate a wide range of realistic cyber attacks based on real-world tactics, techniques, and procedures (TTPs). By emulating these attacks within a controlled environment, organizations can:
SCYTHE’s platform facilitates a granular analysis of an organization’s threat exposure at each stage of the kill chain. This analysis provides valuable insights into potential and actual security gaps that could be exploited by adversaries.
By utilizing SCYTHE, organizations can:
The return on investment in cybersecurity can be challenging to quantify due to the preventive nature of the field. However, using SCYTHE’s threat emulation, organizations can approach ROI calculation in several ways:
To fully understand the impact and efficacy of cybersecurity investments, organizations need to develop comprehensive metrics that go beyond anecdotal evidence of security improvements. A well-structured cyber scorecard with key performance indicators (KPIs) provides a quantifiable method to assess the benefits of using tools like SCYTHE. In this section of our blog, we'll discuss specific KPIs and calculations that can be integrated into an organization's cyber scorecard to measure the benefits derived from SCYTHE threat emulations.
Integrating the following KPIs into your cyber scorecard will help in quantitatively assessing the effectiveness of SCYTHE in your cybersecurity framework:
1. Threat Exposure Identification Rate (EIR):
EIR = Number of simulations conducted / Number of exposures identified
2. Incident Response Time Reduction (IRTR):IRTR = (Average response time before SCYTHE − Average response time after SCYTHE) / Average response time before SCYTHE
3. Threat Detection Improvement (TDI):
Measures improvement in the ability to detect threats post-implementation of SCYTHE, measuring improvements in visibility (logged, alerted, blocked) and time (dwell).
TDI = (((Number of threats detected after SCYTHE − Number of threats detected
before SCYTHE) / Number of threats detected before SCYTHE) +
((Visibility after SCYTHE − Visibility before SCYTHE) / Visibility before SCYTHE) +
((Time to Detect after SCYTHE − Time to Detect before SCYTHE) / Time to Detect before SCYTHE))
4. Risk Reduction Percentage (RRP):
Quantifies the percentage reduction in overall cybersecurity risk due to mitigations applied from insights gained through SCYTHE simulations.
RRP = (Risk score before SCYTHE − Risk score after SCYTHE) / Risk score before SCYTHE) × 100%
5. Return on Security Investment (ROSI):
Calculates the financial return on investing in SCYTHE by comparing cost savings from avoided security incidents against the cost of the tool (and tool stack).
ROSI = ((Cost savings from avoided incidents − Cost of SCYTHE) / Cost of SCYTHE) × 100%
1. Define Weighting for Each Metric:
Assign a weight to each metric (EIR, IRTR, TDI, RRP, ROSI) based on its relative importance to the organization’s cybersecurity goals. For instance, a business more concerned with response capabilities may assign higher weights to IRTR and TDI.
2. Standardize Metrics:
Convert each metric into a standardized score (e.g., on a scale from 0 to 1) to ensure uniformity in comparison. This can be achieved by setting benchmarks or targets for each metric. For example:
3. Calculate Adjusted Scores:
Multiply each standardized score by its respective weight. For instance, if IRTR is weighted at 30% and the organization achieves 60% of the target reduction, the adjusted score would be 0.18 (0.6 * 0.3).
Add all the adjusted scores together to form the Cyber Threat Preparedness Index. This index provides a comprehensive measure of the organization's cybersecurity improvements, influenced by how well it identifies vulnerabilities, responds to incidents, detects threats, reduces risks, and achieves a financial return on security investments.
Continuously monitor these metrics and update the index periodically (e.g., quarterly or annually). This allows the organization to track improvements over time and adjust strategies as needed.
Example Calculation: Assuming an organization sets the following weights based on their strategic priorities:
- EIR: 20%
- IRTR: 25%
- TDI: 30%
- RRP: 25%
And achieves the following standardized scores, based on SCYTHE customers following our comprehensive cyber fitness strategy:
The calculation for the CTPI would be:
= 0.90×0.20 + 0.70×0.25 + 0.85×0.30 + 0.80×0.25
= 0.18 + 0.175 + 0.255 + 0.2
= 0.81
Thus, the CTPI is 0.81, indicating a strong overall cybersecurity posture. This index helps the organization visualize the effectiveness of its cybersecurity investments and guides future decisions to maintain or enhance its cyber fitness.
The CTPI not only measures an organization's readiness and overall cybersecurity posture but can also be used to estimate potential savings from averting cyber incidents. Given the high costs associated with cyberattacks, understanding these savings is crucial for justifying cybersecurity investments. This section will detail how organizations can use their CTPI to calculate potential savings based on current average costs of cyber incidents in 2023.
As of 2023, the financial impact of cyber incidents can vary significantly depending on the nature and severity of the attack. Costs include direct expenses such as forensic investigations, legal fees, and regulatory fines, as well as indirect expenses like reputational damage and lost business. For the sake of this calculation, let's use a generalized average cost of a significant cyber incident, which is often cited in industry reports (e.g., Cost of Data Breach 2023) as approximately $4.45 million.
1. Determine the Baseline Incident Cost:
Establish the average cost of cyber incidents relevant to the organization's industry and size. For example, use $4.45 million as a baseline for a significant cyber incident.
2. Assess Risk Reduction from CTPI:
The CTPI quantifies how much risk is mitigated through improved cybersecurity measures. For example, if an index of 0.81 implies a 81% effectiveness in cybersecurity readiness, then the residual risk could be considered as 19%.
3. Calculate Expected Incident Cost with Improved Cybersecurity:
Multiply the residual risk percentage by the baseline incident cost to estimate the expected cost of a cyber incident after improving cybersecurity measures.
Expected Incident Cost = Baseline Incident Cost × Residual Risk
= $4.45M × 19%
= $845,500
4. Calculate Potential Savings:
Subtract the expected incident cost from the baseline incident cost to determine the potential savings.
Potential Savings = Baseline Incident Cost − Expected Incident Cost
= $4.45M − $845,500
= $3.6M
5. SCYTHE ROI:
Compare recommended SCYTHE platform and advisory services compared to potential savings.
Potential SCYTHE ROI = Potential Savings / SCYTHE Cost
= $3.6M / $250K
= 14.4X
Budget Allocation
The calculated potential savings can guide how much should be invested in cybersecurity without exceeding the benefits. If saving nearly $3 million per incident is possible, investing up to a fraction of this amount in preventative measures can be economically justified.
Strategic Decisions
By understanding the economic impact of improved cybersecurity, organizations can make more informed decisions regarding technology upgrades, staffing, and training.
Stakeholder Communication
Quantifying potential savings in financial terms is a powerful tool for communicating the value of cybersecurity investments to stakeholders and securing the necessary funding and support.
The CTPI provides a snapshot of an organization's security effectiveness but also a robust tool for forecasting the financial implications of cyber incidents. By calculating the potential savings from averting such incidents, organizations can more clearly articulate the value of their cybersecurity initiatives, ensuring alignment with their overall business objectives and financial planning. This proactive approach to budgeting and risk management supports a stronger, more resilient cybersecurity posture in an era of ever-increasing cyber threats.
Beyond immediate ROI, SCYTHE provides long-term value by enhancing an organization’s cybersecurity maturity. The continuous insights gained from attack simulations enable ongoing improvements and adaptation to new threats. This proactive approach not only reduces the likelihood of successful attacks but also builds a robust security culture that can adapt and evolve with the threat landscape.
Benefits of Using SCYTHE Visualized in a Cyber Scorecard:
Data-Driven Decisions: Using quantifiable data from the scorecard, decision-makers can justify cybersecurity spending and optimize their investments based on areas showing the greatest improvement or need.
Strategy Optimization: Continuous feedback from the scorecard helps refine and adjust cybersecurity strategies to focus on areas where SCYTHE shows significant risk reduction or improvement in incident response capabilities.
Stakeholder Communication: Clear metrics and understandable KPIs facilitate communication with non-technical stakeholders, showing tangible outcomes from cybersecurity investments, which is crucial for continued support and funding.
Optimized (and reduced) Labor: Using pre-packaged threat content, combined with modules, will dramatically speed up red/blue/purple teaming as teams will not be forced to operationalize CTI themselves. Additionally, less experienced teams will be able to perform more advanced testing.
Cyber threats continue to create severe implications for business continuity and reputation. Investing in advanced simulation tools like SCYTHE offers a strategic advantage. By enabling organizations to test, measure, and enhance their security postures, SCYTHE plays a crucial role in reducing business risk and providing measurable ROI on cybersecurity investments. With its ability to provide comprehensive threat insights and facilitate a deeper understanding of security vulnerabilities throughout the cyber kill chain, SCYTHE is an invaluable tool for any organization serious about enhancing its cybersecurity efforts.
Author Attribution:
Written by Marc Brown (@marc_r_brown), SCYTHE’s VP Product & Sales, dynamic leader with diverse executive roles, startup enthusiast, lover of technology, innovation, and all things ‘nerdy’ cool.
Contributions By:
* Bryson Bort, SCYTHE Founder/CEO
* Trey Bilbrey, SCYTHE Labs