Skip to main content

Kennedy School Review

Topic / Science, Technology and Data

What is the Right Price for Cybersecurity?


Former NSA Director, Mike McConnell recognized the agency was trapped in a slow-motion cybersecurity crisis long before explosive security breaches were revealed by The New York Times. “We have had a train wreck coming,” Mr. McConnell said. Cybersecurity will be a significant portion of the FY 2018 federal budget with more than $20 billion in unclassified program investments hanging in the balance according to the Taxpayers for Common Sense. Identifying how and where to invest resources will be a challenge for every agency.

The FY 2018 federal budget builds on a May 2017 Executive Order to strengthen the security of federal networks through the adoption of a common framework to manage each agency’s cybersecurity risk posture. “For the first time, this budget includes discrete cyber program investments that align budget resources with the National Institute of Standards and Technology (NIST) Cybersecurity Framework,” according to OMB. This framework will serve to align agency data to meet specific cost, schedule, and performance objectives.

However, after returning to work after the second federal shutdown in three weeks, agencies are faced with the daunting task of operating under another temporary budget package to keep the government operating into late March. Despite the recent bipartisan two-year spending agreement, agencies have spent the past several months operating in a constrained environment with little flexibility surrounding discretionary spending. Persistent budget ambiguity delayed critical cybersecurity programs, prevented the termination of unnecessary activities, and all but froze the ability for agencies to enter into new contracts, all resulting in wasted taxpayer investment. With more than $1 trillion of discretionary investment hanging in the balance, leaders have expressed frustration with the lack of progress. According to Chairman of the Joint Chiefs of Staff, Gen. Joe Dunford, “We want to be good stewards of the taxpayer dollar, and in order to do that, you’ve got to lay out a plan.”

When building an organization’s cybersecurity investment strategy, agencies should utilize a straightforward economics-based framework that considers a broad group of information security breach functions.

I suggest using the following 3 A’s to find the right level of investment:

Analyze potential losses.  The first step is to consider what an agency stands to lose if cybercriminals breach its defenses, estimating the value of information from low to high. Public-sector organizations are responsible for maintaining vast datasets containing highly sensitive and personally identifiable information.  These organizations stand to incur significant costs in case of a breach from directly compensating individuals for their stolen information to restoring public trust. Earlier this year, DHS notified more than 246,000 current and former employees of a personal data breach; but the breach occurred in 2014 and the investigation took eight months to complete, significantly eroding public trust. Only two years earlier, a similar cybersecurity breach at OPM affected as many as 4 million people. Experts estimate the OPM breach may cost taxpayers as much as $1 billion over the next decade.

Assess the probability of occurrence.  Currently there are multiple investigations tying former NSA employees and contractors to breaches that have occurred at the agency. The NSA is facing a series of external threats from rogue groups that have stolen cyberweapons created by the NSA itself, and are now being used in a worldwide crime spree. In an era of digital transformation, no organization is immune. However, not all organizations are facing the same threat level. Therefore, each organization must assess its own vulnerability or threat to attack by estimating the likelihood that information will be compromised. What is the organization’s current cybersecurity posture relative to its electronic records? What is the greater concern? External forces? Or internal ones?

Allocate resources appropriately.  Finally, conduct a cost-benefit analysis to identify how much certain cybersecurity investments will cost and how much the organization stands to gain from their implementation. By developing a grid with all possible combinations of the first two steps, agencies can focus investment where cybersecurity activities deliver the largest net benefits. When the expected benefits exceed the expected costs, it supports the decision to make additional cybersecurity investments. However, it is important to note that not all organizations are created equal. Each agency will need to create a plan to meet the needs of its organization and ensure the highest level of defense while also providing increased value to the taxpayer.

Federal decision makers recognize the need for robust investment to empower agency cybersecurity teams and transform their security posture. As recent breaches into both government and corporate data sets show us, the consequences of failing to protect digital assets are severe. Using these three practical steps, every agency can make smart choices about the future of their cyber programs.


Jeffrey M. Voth is the president of Herren Associates, an engineering and management consulting firm, based in Washington, DC, focused on maximizing the value of every taxpayer dollar. He was a 2012 Senior Executive Fellow at the John F. Kennedy School of Government at Harvard University.


Edited by Deepra Yusuf

Photo credit: USAF Franklin R. Ramos