Optimal Cybersecurity Budgeting: Investing in People and Technology

^{Image created with assistance from OpenAI’s ChatGPT and DALL·E}

BLUF

The optimal allocation of a limited cybersecurity budget distributes 40% to employee training and 60% to technology.

Assessment

The first step as a Chief Information Officer would be conducting a comprehensive assessment of the organization’s cybersecurity posture. Employing the NIST Cybersecurity Framework (CSF) 2.0 self-assessment tools provided by the National Institute of Standards and Technology (2024) will highlight what data must be protected and determine the training requirements.

Training

Human error is a significant risk in any cybersecurity program, often exploited by social engineering or phishing attacks. As Evans et al. (2019) point out, 99% of data security incidents are caused by human error. Investing in a training program is essential. The research by Bada et al. (2019) highlights the importance of addressing human vulnerabilities through targeted training. Cost-benefit analyses, like the ones done by Gordon and Loeb (2002), suggest that organizations should allocate their cybersecurity budget to balance cost with the level of risk. This emphasizes how training can be highly cost-effective. Allocating 40% of the budget to create an effective training program will develop a culture of cybersecurity awareness, enhancing the overall cybersecurity posture.

Technology

The majority of the cybersecurity budget should be allocated to additional cybersecurity technologies. Advanced cyber threats require costly technological measures. Basic cybersecurity tools, such as firewalls, antivirus software, and encryption technology, offer some protection, but more is needed. Rodziwill and Benton (2017) argue that the optimal cybertechnology investment is completed when the minimal increase in cyber investment cost equals the minimal decrease in financial loss. Cybertechnology must not only focus on protecting data but also on recovering data. Song and Park (2024) describe this as cyber resilience, or how quickly a company can recover after a cyber threat bypasses security controls. The cybersecurity technology budget must include investing in equipment that focuses on response and recovery, like offsite backup data centers. Allocating 60% of the budget for high-impact, scalable cybersecurity tools will provide substantial protection against cyber threats.

Conclusion

The optimal allocation of cybersecurity budgets is crucial for building a robust security posture. Allocating 40% of funding dedicated to training and 60% to technology represents a strategic blend of prevention and defense. Implementing this balanced allocation enables organizations to address both human and technical vulnerabilities effectively, maximizing their overall security posture.

References

Bada, M., Sasse, A. M., & Nurse, J. R. C. (2019). Cyber Security Awareness Campaigns: Why do they fail to change behaviour? https://doi.org/10.48550/arxiv.1901.02672

Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457. https://doi.org/10.1145/581271.581274

Gordon, L. A., Loeb, M. P., & Zhou, L. (2020). Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model. Journal of Cybersecurity (Oxford), 6(1). https://doi.org/10.1093/cybsec/tyaa005

National Institute of Standards and Technology. (2023). NIST Cybersecurity Framework 2.0.  https://doi.org/10.6028/NIST.CSWP.29

Radziwill, N., & Benton, M. (2017). Cybersecurity Cost of Quality: Managing the Costs of Cybersecurity Risk Management. Software Quality Professional, 19(4), 25.

Song, J., & Park, M. J. (2024). A system dynamics approach for cost-benefit simulation in designing policies to enhance the cybersecurity resilience of small and medium-sized enterprises. Information Development. https://doi.org/10.1177/02666669241252996