I was already thinking about creating a ROI calculator to help IT security pros better understand the economic impact of bad bots on websites and APIs when I met with Derek Brink at RSA. He is a VP and research fellow at Aberdeen Research, so spends a lot of time thinking about what IT pros need. After we’d chatted awhile, I realized I’d been coming at the return-on-investment question the wrong way—and I wasn’t alone.
It seems none of us—infosec pros, vendors, and business decision-makers—are speaking the same language. Whether buyer or seller, those of us on the infosec side tend to get in the weeds very quickly, talking about threats, vulnerabilities, exploits, and technologies. But the biggest concern for a business is a single four-letter word—risk.
For the business, what constitutes a security risk?
When we consider security risks, we should be thinking about
- The likelihood of successful exploits, and
- The corresponding business impact if those exploits do occur
If you, as a security professional, and I, a solution provider, can’t say something like, “We estimate a 20% likelihood that malicious bots will result in over $1M in associated annual costs to the business,” we’ll have a hard time convincing the C-suite to invest in a solution. This is because the 20% and the $1M represent the language businesses use in risk-based decision-making everyday—whether it’s developing products, launching marketing campaigns, or a hundred other things.
Gaining insight into the realities of risk
Once we were speaking the same language, Derek stressed the need to restructure our bad bot risk calculator around this new definition of risk. The key is Monte Carlo modeling, in which we still use our traditional calculations, but run them against thousands of randomized scenarios rather than just a few specific ones. This lets us reflect the inherent uncertainties in cybersecurity issues, giving us a range and distribution from which we can then derive probabilities and business impacts—in other words, risk.
In our Monte Carlo model, we estimate a lower bound, an upper bound, and a distribution (shape) for each risk factor.
Then we run the numbers. The results provide invaluable insights into the risk associated with bad bots—both their likelihood, and the potential business impact.
Calculating the numbers this way provides valuable insights into real-world risk of bad bots, because we can show both their likelihood and the resulting business impact.
How Distil can help you quantify bad bot risk within your organization
Because this Monte Carlo approach allows for personalized risk analysis based on industry, website traffic, site contribution to company revenue, and number of website data records, we can equip you with the hard data you need to present your CxOs with an accurate annual financial risk of malicious bots.
You can use the same methodology to show how an incremental investment in Distil’s bot detection and mitigation solution quantifiably reduces that risk. We can show how your organization’s ROI in Distil compares with alternative solutions, like web application firewalls, or even manual blocking technologies developed in-house.
Want to quantify the risk of bad bots on your business?
Try it yourself.
About the AuthorFollow on Twitter More Content by Elias Terman