The Question of Rationality
There is a small 4-star hotel in Austrian Alps called Seehotel Jägerwirt. On the one hand, there is nothing special about this hotel—it is a small gem located on Lake Turracher close to Klagenfurt and owned by the Brandstätter family. Yet, it is famous for being hacked for ransom by cybercriminals not once, not twice, not three times—it was hacked four times!1 Cybercriminals used vulnerabilities in the hotel’s computer system to lock the hotel guests out of their rooms. The ransom message was hidden in a Telecom Austria letter and Christoph Brandstätter (the owner) paid the ransom in bitcoin. There are several interesting aspects to this story. First of all, it shows us again that no business is “too small” to be the target. Second, this story is often cited as a showcase of business irrationality: indeed, from the outside it seems rather silly to become the target multiple times and pay the ransom. But is it really irrational?
The question about whether it is irrational or not depends heavily on several factors. First of all, when a business is trying to build a “safe” space, what is the meaning of “safe”? Second, in doing so, what is the ultimate business goal—is it to really be safe or to be compliant with the latest cybersecurity regulations? Finally, what characteristics of the system are the most important for the business? Is it “robustness”, “resilience”, “agility”, “traceability”, which we have already considered earlier in this book, or is it something else? What might seem rather stupid if the ultimate goal is a Robust security system may make perfect sense if the ultimate goal is Resilience. In fact, paying ransoms might not seem such a bad idea if you want to quickly put your business back on track. Fair enough, the Seehotel Jägerwirt’s case is a bit extreme, but imagine yourself in Christoph Brandstätter’s shoes? You are running a hotel and you know a lot about the hospitality business (confirmed by a 4.5 start rating on TripAdvisor)2 but not much about computers and computer systems. One day, you find all your guests locked out of their rooms. Naturally, as any business owner who puts customers first, your main concern is how to reassure your customers and fix the situation as soon as possible to avoid reputational and financial losses. So, for Christoph Brandstätter it was perfectly rational to put the system back on track as soon as possible, even at the cost of paying the ransom. It is important to note that despite suffering all these attacks, the hotel is doing fine. It has now gone back to physical instead of the digital key system (i.e., the hotel is now using traditional metal keys) to avoid being compromised for ransom in the future.
Compliance Versus Security
The story about Seehotel Jägerwirt is important because it highlights that where cybersecurity is concerned, business goals are key [1–3]. Therefore, it is extremely important to determine at the beginning of your journey as a business what exactly your security system is trying to achieve. In the overwhelming majority of cases, business owners face a trade-off between compliance and security. By compliance we mean adherence to the regulatory norms and laws. So, being compliant implies being careful with systems and data not to break any regulations or laws. In contrast, being secure means minimizing the actual risk of cybersecurity breaches.
You have probably already guessed that compliance is a lot easier to achieve than security. There are several reasons why this is the case. Compliance is a very certain phenomenon. There is a set of regulations, laws, and regulatory practices which clearly specify where and how responsibility is assigned to various actions. In other words, the legal systems tell us precisely that if something is not done to ensure the security of the system, your business will be automatically liable by law . Obviously, the aim of the law is to make systems more secure, yet (i) since the law usually offers rather general guidelines for a broad variety of actors, it is interpretable in various ways and (ii) like any mechanism rooted in our culture, it triggers a set of predictable responses which are mostly related to the perception of security rather than to the actual security. For example, if the law regulates that an organization should protect customer data using all possible means and best practices, the easiest response from any organization holding customer data is to say that they purchased the most sophisticated algorithmic solution from a reputable cybersecurity provider. Does it comply with the regulation? Yes, it does. Does it mean that this organization really did everything in its power to secure customer data? No, it does not.
Unlike compliance, security, as we saw in all our previous arguments leading up to this, is a very uncertain phenomenon. Whether a system is really secure depends on many factors and, most importantly, on an organizational ability to anticipate threats, discover vulnerabilities, and approximate risks. We are not trying to suggest that there is something wrong with trying to be compliant rather than trying to be secure. After all, if you believe that “perception is everything”, compliance is exactly what you should be targeting. We are saying, however, that it is important to define what you are really after before investing in any cybersecurity measures because your goals will in many ways define your strategies.
On the Definition of “Safe” and “Secure”
The definition of “safe” and “secure” when it comes to cybersecurity is also not very clear-cut. As we have discussed earlier, for many businesses, “safe” and “secure” primarily means “Robust”. Under these circumstances, their main efforts are concentrated on building higher cyber fences and investing in more sophisticated cyber door locks. Yet, again, as we saw earlier, when it comes to cybersecurity, unless an organization applies a multilayered (catering to different behavioral types of adversaries) and hybrid (anthropotechnological) approach, its systems become highly vulnerable.
Furthermore, for different countries, political systems, even industries, safety and security will mean different things and will be defined in different ways. What is good enough for the cybersecurity of transport may not be good enough for the cybersecurity of cities. What can be considered a cyber “safe” space in the catering industry is not enough to qualify as “safe” in fintech. In this sense, it is incredibly important to define the concept of “safe” and “secure” for your organization before you move on to considering how various cybersecurity risks could be identified and addressed.
False Flags?
The question of false flags is also central to defining business goals with regard to cybersecurity. Our colleague, a medieval war history professor, told us a very interesting fact about medieval battles. It turns out that when knights fought against each other in a major battle, they used their military flags (or standards) as reference points to help them co-ordinate their actions. Here is how this worked.
Imagine that you are in the middle of a medieval battle. You are wearing armor. It is heavy and the visibility inside your helmet (sallet) is incredibly low. It is also very noisy around and you are riding a horse, which adds yet more uncertainty to the entire operation. So, in principle, you are operating in an incredibly uncertain environment with almost zero visibility. How can you possibly know (i) how well your troops are doing and (ii) how to co-ordinate with others in common actions? This is where the standard-bearer comes in. Since you cannot hear or see much, your best bet is to locate the flag. That way you can tell whether your side is winning, losing, or needing to regroup.
In the medieval age, since the standard-bearer had almost no means to defend himself, he was usually the first target for the enemy troops as capturing the standard not only had a symbolic meaning, but left the enemy practically disoriented on the battlefield. The beauty of the battle standard as a reference point was that it revealed to those in the middle of the battle the real state of affairs.
In cybersecurity, we also determine a set of reference points (flags) which should help us to trace the compromises or attacks. We are deliberately using the word should because the fact that these flags exist does not mean that they are real. For example, if your organization has a system of firewalls (or if you are applying a perimeter-free zero-trust approach, as system of verification and validation points), they could act as flags. Yet, it is possible to compromise the system without even touching the firewalls (or verification and validation points). In this case, the flags which you have set up and identified are useless for the formulation of an effective and agile cybersecurity strategy. In this sense, our perception of security often operates in a system of false flags. False flags are often a product of context dependency neglect (i.e., the inclination to adopt universal solutions rather than solutions tailored to a specific context) as well as psychological biases (e.g., these biases could come from previous experiences where being a subject of a particular attack alters your perception of the likelihood of a similar attack in the future). Therefore, it is incredibly important to constantly test a set of flags determined by your organization to see whether these flags still matter and to what extent noticing them helps you to reach your cybersecurity goals. Coming back to our firewalls example, it would be silly to invest large amounts of money into firewall solutions if major cybersecurity risk for your organization comes from phishing or spear phishing. But to identify the waste in your cybersecurity system and to realize that your flags might be false, you have to constantly question these flags.
Cost Versus Benefit
Cost versus benefit is another crucial consideration when making decisions about cybersecurity. Understanding the costs of adverse cyber events combined with the cost versus benefit of various cybersecurity measures allows you to learn which system is “good enough”. What does “good enough” mean for your business? Considering the complexity of cyberspaces and multiplicity of potential threats, some of which may match your organization’s zero-day vulnerabilities, it becomes obvious that it is impossible to avoid cybersecurity risk altogether. Therefore, to a certain extent, risk should be taken. Yet, at the same time, it is necessary to ensure that this risk does not lead to catastrophic consequences. This, of course, is a lot easier said than done.
This process starts by a business or organization listing and understanding all the digital valuables it possesses. Digital valuables may include: consumer personal data; consumer financial data; digital access to important know-how or intellectual property; digital access to physical assets (such as money or infrastructure), etc. Each of these valuables, if lost, will lead to a set of consequences for a business which may include legal consequences, operational consequences, and reputational consequences. Legal consequences refer to the legal responsibility which results from adversarial impact. For example, under the EU’s GDPR, there are a number of legal costs and even a potential fine of up to 4% of annual global turnover, or €20 million (whichever is greater), for violating personal data rights and new digital privacy rights of EU citizens. Operational consequences are related to costs resulting from the immediate disruption of service or regular flow of work within the organization. For example, in the case of a DDoS attack, it is highly likely that the routine delivery of services between a particular business and its consumers will be interrupted and there will be costs associated with putting the usual processes back on track. Reputational consequences are associated with costs which lie more in an ethical domain, but may, nevertheless, impact on business. For example, recent scandals associated with lack of privacy and social engineering on Facebook have already contributed to, and continue to impact, younger users of the social media platform, who are switching to other platforms.3 While reputational concerns do not necessarily lead to direct and immediate financial consequences, they may cause consumer erosion of trust in the brand and lead to a decline in profits over a period of time.
The chart also allows us to map the level of investment relative to the expected return on investment captured in the form of the level of “security”. The dashed curve on the chart captures the nature of investment relative to the type of valuable. For essential valuables, each monetary unit (dollar, pound, euro) of investment yields higher security. For important valuables, the relationship between investment and security is still increasing but at a lower rate compared to essential valuables. For meaningful valuables, the relationship is almost flat—i.e., each additional monetary unit of investment increases the level of security only slightly or even does not make much difference. For secondary valuables, each additional monetary unit of investment yields a diminishing return. It is important to note that the chart assumes that the ultimate goal of a particular business is a higher level of security rather than compliance, as return on investment in the chart framework is measured by security level.
The main trick in implementing the chart methodology in practice is, of course, to list and classify digital valuables for a particular organization. Even though this might not be a trivial task, it is still much easier from the practical point of view to start with valuables rather than potential threats when trying to understand the necessary level of investment and the types of measures which need to be applied to attain a “good enough” level of cybersecurity. We consider this issue in more detail in subsequent chapters.