Making the Most of Limited Cybersecurity Budgets with Anylogic Modeling

George Hamilton, Purdue University

Abstract

In an increasingly interconnected world, technology is now central to the operations of most businesses. In this environment, businesses of all sizes face an ever-growing threat from cyberattacks. Successful cyberattacks can result in data breaches, which may lead to financial loss, business interruptions, regulatory fines, and reputational damage. In 2021, the losses from cyber attacks in the United States were estimated at $6.9 Billion [4].Confronting the threat of cyberattacks can be particularly challenging for small businesses, which must defend themselves using a smaller budget and less in-house talent while balancing the pursuit of growth. Risk assessments are one method for organizations to determine how to best use their cybersecurity budgets. However, for small businesses, a risk assessment may require a significant portion of the budget which could otherwise be used to implement cybersecurity controls.This research builds on existing research from Lerums et al. for simulating a phishing attack to present a model that very small businesses may use in place of or as a precursor to a risk assessment [1]. The updated model includes sensible default values for the cost and effectiveness of cybersecurity controls as well as the number of cyberattacks expected per year. Default values are based on academic literature, technical reports, and vendor estimates, but they may all be changed by organizations using the model. The updated model can also be tailored by non-technical users to reflect their network, relevant threat actors, and budget. Lastly, the updated model can output an optimized control set that yields the maximum annual net return and the single control with the greatest annual return on investment based on a user’s inputs.After construction, the updated model is tested on organizations with 5, 25, and 50 employees facing varied sets of threat actors and attacks per year. Key takeaways include the high net return of all security controls tested, benefits of defense-in-depth strategies for maximizing return across multiple attack types, and the role of threat actors in tempering high estimates of security control effectiveness.

Degree

M.Sc.

Advisors

Dietz, Purdue University.

Subject Area

Computer science

Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server
.

Share

COinS