Adding value-effort modeling to Australia’s cybersecurity conversation
November 23, 2020
Rob Anderson

Robert Anderson

The Australian government is getting serious about cybersecurity in the face of growing attacks from sophisticated malefactors. In the energy sector the conversation has largely been around compliance frameworks, with AESCSF being most talked about. I have some concerns that with the discussion being centered on frameworks, it may be leading people toward thinking that compliance frameworks are where a cybersecurity strategy starts and ends. I think that a robust strategy needs to go beyond a purely compliance-based approach. It is my opinion that securing a network requires more than proving compliance at a certain maturity level – digital assets hold differing values to organizations and therefore some assets require higher levels of protection and others less.

In talking to clients in Australia, I’ve been using the term ‘Value-Effort Modeling’ to describe what I think is a necessary addition to the standard use of asset value in compliance frameworks when creating cybersecurity strategies. Some of the popular frameworks recommend calculating assets value, but mostly for calculating the exposure factor, single loss expectance and the annualized loss expectancy for use in quantitative analysis.

Value-effort modeling identifies at-risk digital business assets based on value and works hardest to protect the highest-value targets. I believe this approach assures a higher level of protection than relying solely on a generic compliance framework as a basis for a cybersecurity strategy.

Cybersecurity strategies that rely solely on compliance frameworks treat all assets the same. Stretched cybersecurity teams just don’t have the resources to protect everything to the same level required for those really high-value assets. That’s where an at-risk value-effort based strategy can help. Incorporating this thinking ensures that resources are deployed where they will do the most good. It’s a simple point, but one that I worry is being overlooked.

As we move closer to a time when compliance to standards will be mandated, I think it is important that we get the core philosophies that will underpin any regimes correct before misguided mandates get applied.

I’d be really interested in hearing from anyone who is already applying this kind of approach in the critical infrastructure space, and what their experience has been. Please send me an email or reach out via LinkedIn.