I think you're confusing theory with the real world.

What happens in practice, is that a company will never upgrade its security systems unless they have a bad scare, or an actual breach. When this happens, they spend as little as possible to mitigate the chance of its happening again.

Take as an example, what happened at Target in 2014. A vulnerability in an FTP server allowed hackers to infiltrate the network and plant screen-scraping malware on all the POS terminals.

When the breach finally came to light, did Target make the POS terminals proof against screen scrapers? No, that would cost too much. They improved the security of FTP servers.

You only have to follow the news of data breaches (I do, but I'm in the security business) to see that each one only results in a short-term Band-Aid solution to the immediate problem.

The security capability maturity evolves with the time and risk level comes from the creative hackers then we need to develop the security capability.

Thank you Mark Sitkowski and Zeyad Mohammad for your contributions.

Allow me to add further thought to my, admittedly, theoretical question.

What I am looking for is any support for the shape of the curve that depicts the relationship between maturity and risk level. In the image that I have attached there are two options that I would think plausible, i.e. a linear relationship and a non-linear S-curve shape. In both cases there are differences in correlations.

What I am looking for is any published research to corroborate such a shape.

As an organization's security capability matures, it reduces its risk as it masters the basics of cyber hygiene, gains expertise in intrusion detection, and adds capabilities to detect and stop data exfiltration.

That said, the hackers are also maturing their capabilities and increasing operating risk for their potential target organizations. The analogy is that as defenders build higher fences, attackers get longer ladders.

To reduce net security risk, organizations need to mature defensively faster than hackers mature offensively.

Michael Ahern

Thank you for this perspective on defender-attacker interaction.

I agree that there is a kind of maturity contest between defenders and attackers. Driving that view to a conclusion ultimately means that defenders must try to mature faster than their counterpart attackers.

My experience indicates that the interaction behaves more like an arms race during which the cost for the attackers are maximized against a minimization of defender costs. The actual drive, however, is largely information-based, as in: who knows what when.

In that respect agile attackers appear to possess an advantage over large organizations in that they can adapt faster to a changed environment.

Translating your observation would result in an oscillating curve with a, preferably, downward trend - as indicated in the attached figure.

Hello Peter,

I like the shape you’be drawn. To quantify it, you might use statistics from the annual Verizon Breach report and/or similar sources (e.g. U.S. FBI). I think you’ll find that basic cyber hygiene will eliminate about 80% of the risk.

Best,

Mike

Michael Ahern

Indeed, as you alluded, basic system hygiene, such as application patching and addressing known database and network components' vulnerabilities, significantly improves security posture. Alas, when it comes to actual implementation, it is a quite different story. The main challenge remains knowing which assets can be found where. Next hurdle is finding somebody with time and a sense of responsibility to implement and test the patch.

Thanks for suggesting mapping statistics from security reports against risk and maturity models.

You're welcome Pieter! I'll be curious about your findings.