Return on Mitigation Is a Concept Worth Understanding

Everyone seems to understand intuitively that cyberattacks are bad news, especially in the public sector. A ransomware attack could render an emergency communications center’s networks and systems inoperable for hours, days, weeks, even months, preventing the handling of 911 calls and the dispatching of life-saving response. If a court system suffers a breach, sensitive data could be pirated and then sold on the dark web with disastrous consequences, both for the court system and the citizens it serves.

Just as intuitive is the notion that mitigation strategies and tactics are of great value. Here the adage rings true: an ounce of prevention is worth a pound of cure. Numerous strategies and tactics are available to public-sector organizations, including the following:

• Monitoring and detecting
• Security infrastructure, e.g., firewall, antivirus, and endpoint protection
• Vulnerability management, e.g., ensuring that patches are applied promptly, especially in the immediate aftermath of a threat advisory
• Incident response
• Policy and compliance
• Awareness and training
• Penetration testing
• Vulnerability scanning
• Threat hunting
• Advanced persistent threat (APT) simulations
• Risk assessments
• Security auditing

Among these, vulnerability scanning stands out, not only as a foundational and proactive measure, but also as a regulatory requirement for compliance with the Criminal Justice Information Services (CJIS) security policy. As of October 2023, regular vulnerability scanning is a mandated practice for all entities that access or manage criminal justice information. This requirement underscores the critical nature of vulnerability scanning in safeguarding sensitive data against cybersecurity threats.

The inclusion of vulnerability scanning as a CJIS-compliance requirement highlights its significance in the public sector's cybersecurity arsenal. By systematically examining networks, systems, and software to identify security vulnerabilities, public-sector organizations can address weaknesses before they are exploited by cyberattackers. Today this proactive measure is not just a best practice but also is a compliance necessity, ensuring that sensitive criminal-justice information remains protected against unauthorized access and breaches.

While every strategy and tactic identified above is effective, a cost is associated with each of them. That’s something public-safety and court-system officials who have budget responsibilities will mull as they decide which to leverage. They also will try to decide the level of risk that exists regarding cyberattacks, both in terms of their likelihood and their damage potential. In this regard, they are like insurance actuaries, who use mathematical formulas, statistics, and financial theory to establish the economic cost of the risks that exist.

This is where return on mitigation (ROM) comes into play. It’s a relatively new concept but one that rapidly is gaining traction in the cybersecurity world. ROM is like return on investment. Where the latter measures profit against cost, the former measures the anticipated cost of a cybersecurity breach against the cost of mitigation. Admittedly, it is less cut and dried compared with ROI — where profit and cost are discerned and tracked easily —because assigning a monetary value to an anticipated cybersecurity breach is somewhat arbitrary. Yet, ROM is something that every public-safety and court-system official with financial responsibility should consider.

Some of the factors that ROM considers in determining the cost of an anticipated cybersecurity breach are as follows:

• Cost of restoring or replacing networks, systems, and/or data — For example, the price paid to a cyberattacker to decrypt files in the aftermath of a ransomware attack, or the cost of replacing a computer-aided dispatch system that has been corrupted so severely it is inoperable.
• Lost revenue — For example, a department of motor vehicles that has lost the ability to collect user fees or an emergency medical services department that no longer can bill for services provided.
• Cost of litigation — For example, the costs associated with a public-safety agency defending itself if a cyberattack prevented it from providing emergency response and a citizen died as a result, or a court-system whose sensitive data was sold on the dark web resulting in harm being inflicted on citizens.
• Lost public trust and reputation — This one is somewhat less problematic because the public still will trust public-safety agencies to come to their rescue during an emergency — what other choice do they have? But the embarrassment an agency would suffer, especially if it didn’t have adequate cybersecurity protections in place, could have negative effect on how the agency is perceived lawmakers and policymakers, which is especially problematic if they have funding influence authority.

The first step in the ROM process is understanding the implications of cybersecurity breaches as they pertain to each network and system, as well as your data — without such understanding it is impossible to monetize the effects, which is the second step. The third step is to determine what you would need to do to respond to a cyberattack and the associated costs. The fourth step is to determine the cost of the mitigation solutions that are in place and/or desired. The final step is to calculate your ROM.

Figuring out ROM is a big, complicated task, but one that is worth tackling. Formulas exist for doing this, and MCP’s cybersecurity team knows how to select the one that is right for your unique circumstances and how to apply it. We’re eager to help — please reach out.

Jason Franks is an MCP cybersecurity specialist. Email him at JasonFranks@MissionCriticalPartners.com.