Schools and colleges need to focus their available funds on teaching and learning, and in the students within their care. As such it can be difficult to justify significant spending on cyber security. Investing in cyber security is investing in preventing the possibility, a chance, of a cyber incident occurring. The challenge therefore is establishing a way to frame the costs in order to identify what represents good value.
Cyber security is all about risk management. Every risk has a probability of occurring. This might be a 1 in 100 or 1 in 1000 or 1 in 1 million. This is where the difficulties in justifying spending on cyber security arise. For the last 10 years an institution may not have suffered any significant incidents. As such how can the head of their IT justify spending an additional £4000 or £5000 per annum on cyber security? We are working from the point that it is more likely an incident wont happen that it will. Viewed from the point of view of past experience, the institution has been fine for 10 years, with the probability of an incident assumed to remaining roughly the same, so is likely to be fine in the next 10 years, excepting for this small probability. So, stay as is or spend £40,000 – £50,000 over 10 years to provide additional protection just in case? Viewed from this point it may be difficult to justify the spend especially if the overall budget for the school is low.
Let’s take a more mathematical approach to the problem; If we take approximately 25,000 schools in the UK where I am aware of around 20-25 which have experienced cyber incident this year. Let’s assume I am aware of only a small number of the schools which actually experience incidents, say 10%. So, lefts take a probability of 250 incidents per 25,000 schools or 1 in 100. At this point rather than looking at the chance of an incident occurring, we are assuming that an incident is guaranteed to occur within a given period. Taking this probability, in 100 years, every school in the UK would likely have been hit. If hit, let’s make an assumption that the cost would be £250,000 to recover (this is very much a guess figure and would be dependent very much on the size of the school, its type, complexity, infrastructure, etc). Taking the probability of 1 hit every 100 years, with each hit costing £250,000, this means the approximate annual equivalent cost would be £2500 per annum. The cost for the additional protection is looking a little better at this point. All it would take is for the recovery costs to grow to £400,000 or for the probability of a hit to increase to 1 in 62.5 rather than 1 in 100 schools.
For me the key things is to move from a position of looking at the chance on an incident happening, where we assume it is more likely an incident wont occur and moving to a position of “not if but when.” At this point we are accepting an incident is guaranteed to occur within a given time period, but we just don’t know when. With this viewpoint we can start to make a more reasoned judgement on costs. We can also factor in the schools risk appetitive, with a school with a high risk appetite likely to choose to underestimate the probability of an incident while one with a low appetite for risk likely to overestimate.
We very much need to reframe how cyber risk and cyber security investment is looked at. Hopefully the above presents at least one possible way to do this in an easy but yet meaningful way.