cyber resilience framework
Threatonomics

Moneyballing Cyber Resilience

Turning Tactics Into Strategies

by Richard Seiersen , Cyber Resilience Strategic Advisor
Published

Has your boss asked you to be more strategicAre you unclear what that means?  And when you ask them to define “strategy” do they say something vague like, “it’s a security plan aligned to business goals and objectives?”  If this is your lot, and you’re still perplexed, then just know you are normal.  

Let’s be honest, true strategic leadership is rare – particularly in security. It’s not for a lack of effort. It’s for a lack of specificity on what (and how) to strategize. This article intends to help – by starting with a movie.  


A Winning Strategy In Action

The film Moneyball is a master class example of aligning objectives, goals, strategy, and tactics.  We’re going to apply it to security.  That means you must eventually see the movie! Or even better, read the book. It’s subtitled, “The Art Of Winning An Unfair Game.”  

The protagonist (the Oakland A’s) had the worst budget in major league baseball. It was a quarter the size of team’s like the New York Yankees and the Boston Red Sox. But the A’s turned their meager budget into an advantage. Indeed, their financial constraints became the impetus for an industry-changing strategy, based on arbitrage opportunities, which had as its objective winning the World Series.

The TL;DR on the A’s strategy:

  • Objective: Win the World Series.  
  • Goal: Do it in one year with a quarter of the competition’s budget. 
  • Strategy: Buy undervalued assets.  
  • Tactics: Maximize walks and build superstars in the aggregate.

Constraints Drive Strategy

The A’s goal of winning with a paltry budget drove the need for a new strategy. That new strategy focused on buying undervalued assets. For example, players good at getting walks were not in high demand. Yet walks were strongly correlated with wins – stronger than getting runs. (The A’s economist discovered this.) And players that got walks were cheap.  So the A’s started to buy them up.  

A similar tactic was making superstars in the aggregate. The A’s sold off expensive assets, replacing them with inexpensive (often farm-league) players. Each player had an undervalued skill. Their combined salaries were less than the superstars they replaced – while their value in making wins was equivalent if not better. 

Isn’t This Just Good ROI?
If you buy wins cheaply, then you have ROI. If you implement tactics disconnected from objectives, goals, and strategy then you simply bought cheap losses or maybe you got lucky and won. But it was not a strategy; it was mere tactics.  As Sun Tzu warned, “Tactics without strategy is the noise before defeat.” 

Moneyball Applied To Cyber

Let’s apply the Moneyball pattern to cybersecurity. 

A Resilience client in the distribution industry was planning to expand their business to e-commerce. With this expansion came new opportunities for revenue, as well as for cyber risk. The client’s Risk Manager had trouble determining how much insurance coverage they should purchase as peer benchmarks didn’t account for the complex nature of their large attack surface, and simple data breach calculators weren’t helpful. To protect their ability to deliver value, they purchased a policy with a $10M limit.

 As I did above, I will start with a very high level Too Long; Didn’t Read (TL;DR) outline and then unpack each bullet.  But my particular focus will be on one of the tactics – the Quantified Cyber Action Plan (Q-CAP) a new part of the Resilience Solution available to Edge clients

The TL;DR Cyber Resilience Strategy

  • Objective: Make the business resilient to plausible cyber losses
  • Goal: Loss exceedance of $10M at 5% and $20M at 1% by 2024
  • Strategy: Controls arbitrage and reserves assurance   
  • Tactics: Implement a Quantified Cyber Action Plan (Q-CAP)

The Cyber Resilient Objective

Cyber Resilience ensures the business thrives in the face of plausible losses.  You don’t get that by simply following a security framework or buying solutions an analyst told you to. It’s more involved, as you can see in the Cyber Resilience Domain infographic just below.  Cyber resilience in practice includes:

  • Assessing relevant threats
  • Assessing your value at risk (aka losses)
  • Quantifying the likelihood of threats creating losses
  • Quantifying the return on cross cutting controls
  • Quantifying ideal limits for risk transfer
  • Quantifying capital reserves requirements for limit exceedance 

Figure 2 The Cyber Resilient Domain

Note: Cyber Resilience requires security operations, finance, and risk management leaders to collaborate.  Traditionally, these individuals operate in silos. They need a common language to communicate their challenges and align under a common goal – this language is dollars and cents. 
When we can talk in terms of dollars and cents, it’s easier to make a case to the money people. These are the people who designate the budgets that let us do our jobs, ie. executives, stakeholders, and Boards of Directors.  Thus, cyber resilience must be considered  a shared objective. 

Figure 3  Q-Cap Loss Exceedance Curve

The Cyber Resilience Goal

A goal measures the objective. The above Loss Exceedance Curve was generated by our Q-CAP (Figure 3). It shows that our client has a ~33% chance of exceeding $5M in losses. Their new goal (represented by the lower curve) has a 5% chance of exceeding $10M. There’s also a tail exceedance goal of 1% for $20M.  

The Cyber Resilience Strategy

A strategy is a qualitative explanation of how our client will achieve their goal.  Before we clarify our strategy let’s add some constraints. First, they can’t get more than $10M in limit.  This is a function of sub standard cyber hygiene.  Also, their budget is fixed to less than $1M for new solutions.  Given those constraints I’m calling this strategy: Controls Arbitrage and Reserve Assurance. 

Controls arbitrage does two things. First, it’s investing in cross cutting high ROI controls.  Cross cutting is seen in Figure 2.  For example, most of the controls are cross cutting, spanning multiple threat and loss scenarios. Controls 4 and 8 stand alone. They may still have outsized ROI relative to the others, so they are not entirely out of the picture. Arbitrage occurs when recouping funds from low ROI vendors and reinvesting in better (cross cutting) bets.
Reserve assurance validates the integrity of your treasury relative to plausible excess losses. Imagine your CFO is unsure if she has enough cash to backstop unexpected losses (the losses that exceed your insurance limits). In working with you she decides she needs tail risk down to a 1% likelihood of exceeding $20M. And she expects that the likelihood of exceeding $30M is negligible.  This represents the CFO’s  cyber risk tolerance relative to the integrity of her treasury.

Cyber Resilience Tactics

The most pivotal tactic in building Cyber Resilience is constructing a Quantified Cyber Action Plan or Q-CAP.  The Q-CAP’s job is to rank order your spend on security controls.  The ranking is based on a concept called return on controls (ROC).  ROC considers how much losses are reduced by the control in relation to its cost.  For example, you would have a 100% ROC if your control costs $100K and it removed $200K in losses.  

Figure 3 above demonstrates how controls buy down risk.  The light blue part of the curve shows where our client  is now.  If they choose to invest in the controls based on the Q-CAP, they can buy down risk to the dark blue area and extending into the dark red.   

Looking closely at the curve you will see that the recommended controls strategy, given the client’s budget, will not get them to their goal. This is where the arbitrage strategy comes in.  Could they sell off the low ROC performers?  What if after everything is said and done they still failed to meet your goal?  Meaning, could they exceed their risk tolerance?  

This is where many play the “risk acceptance” card.  The reality is that acceptance is just code for, “the CFO will pay it out of our reserves.”  This client (or more likely their CFO) is participating in what we like to call, “structured worry.”  It’s better than, “unstructured worry.”  The latter is nothing more than not counting the costs, which is a form of moral hazard.  

This is where resourcefulness and creativity kick in.  Figure 2 indicates that breach risk is relatively outsized.  The client would also know this through a value at risk assessment.  Can the volume and exposure of regulated data be curtailed without costs? Perhaps data is being needlessly duplicated in SaaS environments?  Or, are there SaaS services that are not entirely necessary and simply be turned off?  

This is only the tip of the iceberg in creativity and resourcefulness driven by a Cyber Resilient strategy that is supported by the Q-CAP.  


Consider that Cyber Resilience isn’t merely an objective we use with our customers – its a comprehensive solution.   

The Quantified Cyber Action Plan is a key component in The Resilience Solution, allowing our clients to generate a personalized (and ROI prioritized) cyber mitigation plan that meets industry standards and reduces the most loss at the lowest cost. To learn more about the principles, practices, and platforms related to the QCAP and more, visit www.cyberresilience.com and follow Resilience on LinkedIn and Twitter. Stay tuned for more of  our free community webinar series that delves deeper into this topic. 

You might also like

Five Predictions on the State of Cyber Claims in 2024

Unravel the complexities of cyber risk with the 2023 Mid-Year Claims Report by Resilience. Dive into our analysis and predictions for the cyber insurance industry in 2024, including the pivotal role of AI and regulatory changes.

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the […]

Top Three Trends on Cyber Resilience from The World Economic Forum

With generative AI dominating the conversation at the World Economic Forum’s annual meeting in Davos this year – a massive 32 sessions in total – it’s easy to overlook another topic that was the focus of WEF’s 2024 Global Cybersecurity Outlook: Cyber Resilience.  The term has taken on a new importance in 2024 as enterprise […]

Do you Need Human Brains to make AI Useful in Cybersecurity?

As the world advances with data processing and artificial intelligence (AI) capabilities at a mind-boggling pace, we might feel as if humans are becoming obsolete. This is certainly the question of an endless series of articles that have clogged our inboxes since the release of ChatGPT publicly in late 2022. Maybe this development is a […]

Mastering Cyber Resilience

Cyber Resilience 101, 202, and accompanying Cyber Resilience Workshops are designed to teach brokers the fundamentals of proactive cyber risk management

Best of Threatonomics Year-End Review

As 2023 comes to an end, we are looking back on our top five most popular blog posts that helped shape our understanding of what it means to be cyber-resilient. 1. Moneyballing Cyber Resilience  Chief Cyber Resilience Officer Richard Seiersen wrote “Moneyballing Cyber Resilience” as a follow-up to  his first webinar, “Superforecasting.” The book, Moneyball, […]