A decision model on optimising cybersecurity controls using organisation preferences

Cybersecurity is an organisational issue that should be looked at through the lens of various stakeholders. However, it is often treated as a siloed issue in which more is always seen as better. The CISOs, CIOs and the key decision-makers struggle to understand how much security is enough. All cybersecurity solutions, often referred to as controls, result in a residual risk since there is no such thing as perfect security. The level of the risk should ultimately be the choice predicated by the business goals of the organisation. Cybersecurity controls are often presented in a context that lacks sufficient business context, which is required to optimize the risks and balance them with the needs to run other business operations. For uninterrupted business operations, there is a need to bridge the gap between technology and business decision making. Optimizing cybersecurity risk in a business context demands a model that considers the priorities of the organisation through the lens of the key stakeholders. By taking into consideration the overall priorities in the context of the business goals, we can better guide the decision process of choosing the optimal security controls. Such an approach would help answer questions such as ‘How can we manage cybersecurity risk in the company? What are the right cybersecurity controls for our business goals? How much should we spend on cybersecurity?’ There is no one perfect formula when it comes to picking security controls. Each organisation has a different set of priorities and thus the needs for its security controls will be different. An optimal solution requires a balanced approach towards the risk, cost and benefit of the solution. A thorough analysis of the overall costs and the benefit of implementing each control, and its potential risk, would enable the decision-maker to pick controls that are in line with the business goals. The work of this thesis will involve looking at the trade-offs of security controls, which are influenced by the organisation's priorities, with respect to the cost and value they bring to the organisation. We will be representing the organisation's priorities as preferences. These preferences are then translated into a utility function that can be used to evaluate the controls available. Once the list of preferred controls is gathered, we will analyze the cost and benefit relationship for each of the controls. The cost and benefit are represented in terms of the value defined by the organisation to its processes and business units that are under threat. Finally, we will look for an optimal range of potential controls and their placement, which can provide utmost security to the organisation while keeping the business preferences in place.