Skip to main content

Economic model - Cost of vulnerabilities

Document Purpose

To identify the local and distributed costs of vulnerabilities.

To use these costs to develop the argument for various security interventions

Introduction

In order to frame the impetus for change we need to be able to frame the cost of vulnerabilities across the ecosystem

NIST estimates US economy loses about $60 billion USD every year for patches development and redistribution, systems redeployment, as well as direct productivity loss due to vulnerabilities

https://www.nist.gov/system/files/documents/director/planning/report02-3.pdf

Consortium for Information & Software Quality estimates that the cost of poor quality software is $2.41 trillion in 2022

https://www.it-cisq.org/copq-2022-report-form/

NIST has produced a report on The Economic Impacts of Inadequate Infrastructure for Software Testing, which breaks down estimates costs by sector.

https://www.nist.gov/system/files/documents/director/planning/report02-3.pdf

Other documents to review:

-https://eudl.eu/pdf/10.4108/eai.13-7-2018.164551

These are broad brush analyses.

Taking a more narrow view, taking the perspective of single device OEM or software vendor, there are a few broad classes of cost, they need to factor into their business model

(Un)insured risk

Let's start by assuming no vendor ships a product with a known vulnerability; naive I know, but let's start with that assumption. The product company is potentially financially liable, if the vulnerability is directly (their own code) or indirectly (lack of due diligence) responsible for downstream customer loses .

This liability may already be factored into their product liability insurance. Where the insurance company is able to differentiate vendor competence, the implied risk is factored into the insurance premium.

Where there is no product liability insurance, or it is not applicable, the risk can be costed as future expected liabilities (number of incidents x cost per incident)

Reputational Damage

TODO

Vulnerability management

At a day to day operational level vulnerability management has ongoing costs. Any physical device or software vendor (assuming no vulnerability at point of sales) has an ongoing obligation to monitor and react to disclosed vulnerabilities. (Increasingly this is a legislative requirement, over and above any contractual obligation the supplier has to their customer). Hence any new vulnerability disclosed triggers to following events, each of which has an attached cost.

Identify every exposed device/system

The first challenge is to identify each specific impacted system. This can be logistically complex for organisations with large inventory. SBOM can help with this stage, but its still a non trivial problem.

Short term containment

In many cases a short term or interim containment plan needs to be planned and executed.

(optional) notify customers

Optionally, customers need to be notified. This not only has operational management costs, but has the potential to trigger large scale, long term reputational damage to the company, if not handled properly

Patch/fix if possible

A long term fix, needs creating

Redeploy (phased if necessary)

And finally the deployment of the fix needs executing. In the case of pure software, this may be remote updates. But in the case of physical devices, in some cases this may require recall

Cost of failed deployment

And finally the deployment of the fix needs executing. In the case of pure software, this may be remote updates. But in the case of physical devices, in some cases this may require recall

The key point here is that the cost of vulnerability management is ongoing, complex and multi phase. The cost of managing these vulnerabilities will change by market. Buy any initiative which reduces the incidence or severity of vulnerability as a positive impact on reduced cost of management

Supply chain impacts

The absorbed by the primary developer of the product or service are reflected in the supply chain. Any producer, using another product as part of their supply chain needs operational process in place to handle disclosed vulnerabilities.

These costs are also reflected in the depth of due diligence and procurement process that is required to limit the liability of supply chain vulnerability issues.

National Security Risk

As discussed, vulnerabilities obviously impact national security issues. This presents as an amorphous and holistic cost/risk to the state, but can and will manifest as concrete costs to an individual's supplier. In some instances this may be increased legislative burden, as the bar is raised, in other instances the impacts more opaque, but now less real.