Estimating the Financial Impact of Security Culture

The best way to make a case that a security culture diagnostic project is worth the cost is to show how much impact cultural improvement can have on the organization's bottom line. We can begin to show the value that stronger InfoSec cultures bring by creating a basic model of security culture impact on the likelihood and cost of security incidents. In other words, we can show senior management just how much a weak security culture might cost them.

The case study presented in the following section uses a basic probabilistic model, called a Monte Carlo simulation, to estimate the financial impact of different security cultures within an organization. Monte Carlo simulations are used widely in industry for estimating all kinds of risk, from financial performance to the likelihood of project failures. They are less commonly used in information security in my experience, although I've introduced a few companies to them during my professional travels. At a high level, I will make some assumptions about security culture and the likelihood of security incidents, build a set of scenarios that incorporate those assumptions, and then test those scenarios statistically by simulating them repeatedly. The outcome of the simulation will show the expected results of a security culture's impact on an organization's losses from security incidents.