Data Driven Decision Making in Cybersecurity & Risk Management Part I

This is Part I of a II part series. Link to the next blog post can be found here.

Making good security decisions is becoming increasingly difficult in today’s complex and digital environment. The proliferation of data and data types, the move to multi-cloud hosting environments, rapid speed of software deployment (DevSecOps) and the various business models these trends and technologies enable, all contribute to challenges in securing the modern-day organisation.

Executives need clear and accurate data insights to assess cyber risk and make informed decisions about investments. Yet, despite this requirement, executives continue to receive reports that are not fit for purpose.

As a result, the decision-making process in cyber security can often be driven by gut feeling, opinion and anecdotes as opposed to one driven by hard evidence.

There’s never been a greater need for a good decision-making framework in cyber security.

The DIBB framework from Spotify brings rigour and consistency to the decision-making process

Originally used at Spotify, the Data-Insight-Belief-Bet (DIBB) framework is a way of aligning people at every level of the organisation around a consistent decision-making approach.

The framework can help teams turn data into actions, which then can be measured to demonstrate a return on investment.

In a security setting, the framework can be applied to turn trends in low level technical data into a series of easy to understand recommendations to take to executives for review [Figure 1]

Formulating a reporting process based on DIBB can help overcome the first challenge identified earlier [sidebar].  The raw data serves as a first step in the reporting process, rather than the sole outcome of it. A DIBB approach distils data down into a clear set of actions which is more useful to an executive than a chart-laden pack delivered at the start of each month.

Re-measuring determines the impact of your actions

It is not always obvious to other areas of the organisation what they receive as a result of security activity and investment. For those in security, it can be frustrating to tell this story to others, but a DIBB approach can help address that challenge.

A crucial step when using DIBB is re-measuring after taking a bet. You should expect to see a change in the data which can then be used to quantify return on investment. From the example earlier [Figure 1], the data loss risk had an Annualised Loss Expectancy (ALE) of £1,000,000 before any changes. After implementing the £500,000 Data-Loss-Prevention (DLP) control, the number of emails found to contain company sensitive information reduced by 90%. As a result, the risk’s ALE is now valued at £100,000 [£1,000,000 * (100%-90%)]. The investment turned out to be a good one because it reduced the risk value by £900,000, which means the risk ROI is 80% [100*((£900,000 – £500,000)/(£500,000))].

The key thing to consider here is that the original data source was used to determine the impact of the change. Re-measuring the count of emails found to contain sensitive information provided a quantifiable way of measuring the actions.

Applying the framework in your own organisation

Putting a framework like this to use in your own organisation may not be so straight forward. There’s far more to it than crunching some numbers, producing some charts, attempting to explain the data and placing the analysis in front of your decision makers.

In part II of this series, you will learn what it takes to implement this way of working within your own organisation using a 5 steps approach.

Author

---

Dan Harrison