Part Two of the “Breaking Lemonade” Series
“…I’m going to be spending more on protecting lemonade than making lemonade!”
– Olivia, Lemonade Entrepreneur
One of the most important features of the Resilience SaaS platform is our Quantified Cyber Action Plan. It supports CISOs making decisions under risk and uncertainty by providing a prioritization for which cyber controls should be implemented, based on their ROI. The power of this approach lies in the fact that it guides the most efficient use of resources toward the goal of cyber resilience. To help with this understanding, let’s return to the Breaking Lemonade saga we started last year.
Recall that we met Olivia last year as an emerging lemonade stand entrepreneur who faced a vexing issue regarding how much bully insurance she needed. Her brother Oliver guided her thinking by introducing her to the concept of value-at-risk.
Since getting a handle on the threat that bullies posed to her lemonade stand, Olivia’s business has grown. What began as a single stand with fruit crate shelves and a dollar-per-cup revenue model has blossomed into a small empire: multiple stands, a few part-time employees (mostly friends paid in slushies), and even a mobile lemonade cart at the local soccer field on weekends.
But with growth comes complexity. Now Olivia has to deal with supply deliveries, complaints from a rival iced tea vendor, and a whole new set of security concerns. Someone recently broke into her garage and stole her lemon stash, costing her nearly a full day of revenue. She began investing in deterrents—padlocks, motion lights, a subscription to a neighborhood watch service. She even hired a security consultant named Lexi, who was offering a seasonal deal on “all-inclusive protection plans.”
The Problem With Too Much Protection
But by the third week of June, Olivia noticed something disturbing: her security budget was creeping up faster than her profits. And yet, she felt as if she wasn’t spending enough. Maybe she should ask her parents for a loan to cover the extra security she needed.
“At this rate, I’m going to be spending more on protecting lemonade than making lemonade,” she said to her brother, Oliver. “Lexi says I also need cloud-based surveillance for the inventory app she helped me build. But I don’t even know if these upgrades are worth it. It feels like she’s using FUD to persuade me, but how much protection is too much?”
Oliver, now a freshman studying finance and risk management (thanks in no small part to his lemonade consulting career), put down his limone granita and smiled. “You’re asking the right questions, Liv. Remember last summer when I helped you understand value-at-risk? I’ve learned a bit more since then. The key is not just knowing your value-at-risk. It’s knowing your expected avoided loss. You compare that to what you’re spending on deterrents. Then, you implement those that produce an expected avoided loss that is greater than the cost of a deterrent.”
Olivia looked puzzled. “Expected avoided loss?”
“Let me explain,” Oliver said. “Let’s go back to the Great Lemon Theft last week. You lost how much?”
“About $80 in one day. That’s cups not sold and lemons wasted. That was about one day’s worth of revenue.”
“Right. Now, imagine that happens again. And again. How often do you think it could reasonably happen this summer and the next if you did nothing new to prevent it?”
“Maybe…three more times?”
“So your expected loss without deterrence is about $240. Now, the padlock you bought cost $15, and the motion light was $30. Those prevent casual theft, right?”
“Yeah, probably,” Olivia said. “They make it harder to break in quietly.”
“Then if those $45 in controls prevent even two of those thefts, you’ve saved $160. That’s your avoided loss. Subtract the $45 cost, and your net benefit is $115. Pretty good deal, huh?”
Olivia nodded slowly. “Okay. So the trick is to estimate how much loss my efforts help me avoid—not just whether it makes me feel safer or if consultants recommend it as part of a package deal.”
“Exactly,” Oliver said.
Better Decisions: The Final Squeeze
“Now, let’s look at Lexi’s ‘all-inclusive protection plan’ with the cloud-based inventory security. How much is that again?”
“$150,” Olivia said. “And she says it helps prevent things like data loss and order mix-ups.”
“How many times has that ever happened?”
“Well…never. I mean, I can keep track of my inventory and supply orders in this notebook right now.”
Oliver raised an eyebrow. “So unless there’s a clear, plausible event that would cost you more than $150, that control may not be justified yet. It might be good to have eventually, but not right now if your margins are too tight or if you have more important opportunities to invest in your business.”
They sat quietly, sipping granita. Olivia considered her brother’s guidance.
“So I guess I should start asking: How often do bad things happen? And for each new safeguard, what bad thing does it prevent? Or maybe to put it another way, how much of my value-at-risk does it reduce? And is the avoided loss greater than the cost?”
“You’re a fast learner,” Oliver said. “And if you get really good, you’ll start ranking threats and safeguards by their return on protection investment, your ROPI.”
“RO–what?”
“Never mind,” he grinned. “Let’s just call it wise security spending.”
“A Lemonade for Take-away, Please”
In any business—even a lemonade stand—in which risk management is a concern, the question isn’t how to eliminate all risk, but how to invest wisely in reducing the most likely and most costly risks. Of course, we know that real life is more complicated than our little parable communicates, but investing wisely still means, in part, measuring the expected avoided loss of security controls and comparing that to their cost. Just like Olivia, organizations can learn to prioritize controls that protect real value without over-investing in unlikely threats.
In the last section, Oliver mentioned that the final step in making good decisions regarding security investments is to rank order investments by ROPI, or more commonly, ROI. As long as your investments fall approximately into the same order of magnitude of cost, ROI provides a reasonably good investment ranking function for your organization.
This is due to the fact that ROI doesn’t just measure if a decision will be profitable. It also tells you how much “bang for your buck” you’re likely to get for your efforts. It tells you how efficiently your allocated resources will work for you on a risk-adjusted basis. Remember, you’re making forward looking decisions under uncertainty, not retroactively accounting for whether you operationalized your decisions well.
Let’s consider the table (Table 1) and accompanying chart (Chart 1) describing eight fictitious security investments and their avoided losses (each in $000) according to “Oliver’s Refreshing Lemon Squeeze” recipe. For each Investment, we evaluate an expected (risk-adjusted) Net Avoided Loss. We then sort the security initiatives in order of declining ROI. Finally we calculate the Cumulative Investment and Cumulative Net Avoided Loss in the rank order.
A | B | C | D | E | F | G |
---|---|---|---|---|---|---|
(C – B) | (D / B) | CumSum(B) | CumSum(D) | |||
Security Initiative | Investment($000) | Expected Avoided Loss($000) | Net Avoided Loss($000) | ROI | Cumulative Investment($000) | Cumulative Net Avoided Loss($000) |
A | $155 | $887 | $732 | 4.72 | $155 | $732 |
E | $255 | $933 | $678 | 2.66 | $410 | $1,410 |
C | $300 | $974 | $674 | 2.25 | $710 | $2,084 |
B | $420 | $1,000 | $580 | 1.38 | $1,130 | $2,664 |
D | $500 | $862 | $362 | 0.72 | $1,630 | $3,026 |
H | $600 | $650 | $50 | 0.08 | $2,230 | $3,076 |
G | $360 | $375 | $15 | 0.04 | $2,590 | $3,091 |
F | $390 | $219 | -$171 | -0.44 | $2,980 | $2,920 |
Table 1: A portfolio of security initiative investments rank ordered by their risk adjusted ROI.
Chart 1: The marginal contribution of risk adjusted return to cumulative investment.
With these last two columns we can construct a “CFO chart” that graphically depicts the economic efficiency of your investment portfolio. Remember, the CFO is one of the Money People with whom you want to speak on their terms, not just so that you can be more persuasive about your security budget needs, but so your organization can transparently consider all the investment opportunities put before it to make rational tradeoff decisions. Now your portfolio is ready for both security and broader enterprise tradeoff discussions.
The first five initiatives (A-D) add positive value to the portfolio, so they represent definite keepers within the scope of security budgeting. But suppose your current budget is effectively capped at $1M. Maybe you can request the 13% increase to accommodate up to initiative B. Since initiative F creates a loss of value, we should exclude it from our consideration unless regulations, compliance, or contractual obligations require it.
Initiatives H and G yield small returns that flatten the curve by adding little to no value to the portfolio. What you’re observing here is the diminishing returns for adding a security control. This approach assumes that each of the initiatives are independent, but in practice, we know they are not. Most security controls have some redundancies against other controls, employed as an in-depth defense approach to cover blind spots that other controls leave uncovered. Once you get a few in place, the marginal benefit can drop quite a bit. So although you might treat these similarly to project F, pruning them altogether, you might also engage in a little soul-searching about the benefits of the redundancies, if they exist.
Finally, if your current security budget is within $3M, you could reallocate the $1.35M from H-F to search for other valuable projects. But regardless of where you set your cutoff for acceptance, you now have a set of initiatives that can be rationally compared to other enterprise-wide initiatives according to the same economic metrics.
This is why our Quantified Cyber Action Plan is so important in your quest for organizational resilience, because it gives you the ability to make wise lemons-to-lemons comparisons and tradeoff decisions to other uses of scarce capital under risk in the most efficient manner. To be resilient, our goal should be to avoid being squeezed by the fear of every threat, and squeezing every lemon as a result. Rather, we need to focus on squeezing the right lemons at just the right amount and with the right priority.
If you’re ready to move beyond gut-based or compliance-driven security spending and start making risk-driven decisions that maximize both protection and value, then it’s time to build your own Quantified Cyber Action Plan. At Resilience, we help organizations identify the controls that deliver the greatest return on investment so you can defend smarter, not just spend harder. Let’s work together to prioritize the right security controls for your business and build cyber resilience that’s as scalable as Olivia’s lemonade empire. Contact us to start quantifying your avoided loss and squeezing the most out of every security dollar.