Featuring insights from a webinar with Jitin Shabadu, Security Analyst at Forrester Research

Organisations are increasingly leveraging threat intelligence to counter rising threats – subscribing to up to 26 commercial feeds on average, per Forrester’s Security Survey 2024. Yet, pinpointing the right metrics to demonstrate the value of this intelligence remains a significant challenge.

Forrester cyber security analyst, Jitin Shabadu featured as a guest speaker in a recent Silobreaker webinar, sharing his insights on the topic, drawing from Forrester’s recent report, How To Measure The Effectiveness And Value Of Threat Intelligence.

But before diving into those insights, this blog will first lay the groundwork by defining key risk concepts, as well as the concept of risk velocity and how cyber threat intelligence can positively impact it – ultimately strengthening the case for investment in risk mitigation.

Defining risk and its measurement

What is risk?

Risk, in a broad sense, is anything that can negatively impact an organisation. This can range from the risk of a meteor hitting a company’s head office to a short-notice hurricane delaying just-in-time manufacturing deliveries. But in the context of cybersecurity, risks involve threat actors who have the motive, means and opportunity to realise these risks against an organisation. This more detailed definition is useful in the wider context of cyber defence because it gives defenders more opportunities to mitigate the risks.

How to measure risk

Risk is measured by its impact and likelihood. ‘Impact’ is the total financial cost when the risk is realised, while ‘likelihood’ is the annual chance of a risk being realised. While the costs of your organisation’s IT, interruption to sales, or falling afoul of various regulations are quantifiable, precise values are more challenging to obtain. However, there is usually more than enough data for determining order of magnitude estimates which allow organisations to realistically compare risks so they can adequately resource and prioritise them.

Calculating annualised risk value

At the board level, senior leadership cares most about annualised risk value. Annualised risk value is calculated by multiplying the likelihood of a risk by its impact.

Risk appetite refers to the level of risk an organisation is willing to accept. It varies for each risk and depends on the stakeholders involved. Calculating risk appetite involves determining a percentage of the annualised risk value that the organisation is willing to spend on mitigation.

For instance, if an organisation has a $10 million annualised risk related to data destruction and believes a backup solution can reduce this risk to zero, the baseline budget for this mitigation should be $1 million per annum if we have a 10% risk appetite. These numbers are just an illustration – budgets vary massively from company to company. The key point is to calculate and identify all of these variables for your organisation specifically and work from there.

Risk velocity and its impact

Risk velocity is the speed at which a risk becomes realised from the point of being identified.

Viewed as a timeline, the attack starts from the moment a threat actor has the means, motive, and opportunity to attack to the point where the risk is realised. (See figure A below)

Figure A

The Mean Time to Identify (MTTI) is crucial as it determines the time available to react. Depending on when the attack is first identified, the emphasis will either be on the likelihood minimisation or if it’s towards the right side of the timeline, impact minimisation.

Likelihood minimisation includes things like network defences, security operations, staff training and threat intelligence, while impact minimisation encompasses the likes of backups, cyber insurance and business continuity plans.

Importance of reducing risk velocity

Decreasing risk velocity means increasing time to react, which enables more opportunities to reduce the likelihood, impact and annualised risk value of a threat.

As an example, the Scottish Environmental Protection Agency suffered a catastrophic ransomware attack a few years ago, resulting in the loss of irreplaceable data sets relating to Scotland’s ecology over generations. From the time they detected the attack to the organisation shutting down was just a few minutes. No crisis manager could have reduced the impact of that attack after it had been detected. Conversely, the University of the Highlands and Islands suffered a similar attack around the same time, but they detected the incident very early. Making decisions based on threat intelligence enabled them to both contain and treat the attack.  The University of Highland contained it rapidly, ultimately using backups to get back up and running with minimal operational impact within 48 hours. The skill level of the attackers in both scenarios was identical. The difference between the two was the risk velocity and time to react.

Forrester’s insights on threat intelligence and measuring its impact

Understanding and managing risk velocity is crucial, and threat intelligence plays a pivotal role in this process. To delve deeper into the effective use of threat intelligence, Forrester cybersecurity analyst Jitin Shabadu provided valuable insights during the webinar. He emphasised that threat intelligence is essentially data that helps organisations make informed decisions and avoid unfavourable outcomes.

Jitin also highlighted the findings from a recent Forrester Security Survey 2024, which revealed that threat intelligence (26%) is one of the top three tactical information/IT security priorities for security leaders. This was second only to improving application or product security capabilities (31%). Additionally, there has been a consistent increase in budget allocation for threat intelligence, with 70% of security decision-makers reporting they planned to increase their budget for threat intelligence technologies from 2024 to 2025.

However, Jitin acknowledged that quantifying ROI remains a significant challenge for security leaders, with fewer than half rating their ability to measure the value and effectiveness of threat intelligence as good or excellent. This difficulty arises from measuring challenges that range from too many variables clouding attribution – e.g., are improvements from incident response or from threat intelligence – and uncertainty as to why an attack doesn’t happen – i.e., due to threat intelligence or just plain good luck?

What are the qualities of effective threat intelligence?

Jitin also discussed how to think about threat intel from people, process and technology standpoint. He highlighted the areas to be mindful of when deciding how to incorporate the right threat intelligence in the context of an organisation’s unique environment. The key components for successful threat intelligence include completeness, accuracy, relevance and timeliness.

When asked about what an organisation should consider when debating whether to develop threat intelligence in house, Jitin shared that building an in-house threat intelligence platform can be appealing but comes with significant challenges such as indirect costs, complexity, and ongoing maintenance. He noted that without the right specialised skill set internally, organisations may struggle to effectively navigate the threat landscape – likening it to steering a ship without a compass. He explained that relying on a vendor can mitigate these risks by addressing long-standing industry issues.

While in-house solutions may work for mature organisations with specialised resources, they are not feasible for everyone. He added that it’s crucial to have informed decision-makers who specialise in threat intelligence, rather than general cybersecurity experts, to make this approach successful.

How to maximise the quantifiable business value of threat intelligence

Silobreaker integrates all of your intelligence operations, centralising all of an organisation’s information to serve multiple use cases across cyber, geopolitical and physical threats in one place. PIRs are a crucial element of a requirements-driven programme that delivers intelligence with measurable value, and Silobreaker enables intelligence teams to produce and disseminate timely, actionable reports in line with PIRs specific to your business.

These capabilities, powered by Silobreaker AI, empower stakeholders to make informed decisions faster to safeguard their enterprise and achieve a measurable reduction in risk exposure. By demonstrating the tangible impact of threat intelligence, you can justify the investment and ensure your organisation continues to reap the full benefits of advanced threat intelligence.

Click here for more information.