How economic threat modeling helps CISOs become chief revenue protection officers

Threat modeling is a crucial part of modern cybersecurity, but for too many organizations, threat modeling and threat-informed defense are about tactics. However, there’s much more to it. When done well and from the top, it can provide economic value. We call it economic threat modeling.

Unfortunately, many security and business leaders see cybersecurity as a controls and compliance issue. That approach is economically inefficient and a bit of a shell game — it’s not going to improve your cybersecurity hygiene in an appreciable way. Their organization’s security posture fits like a giant suit with baggy pants and oversized shoulder pads.

Economic threat modeling is bespoke tailoring, a suit that fits well and is right-sized for its purpose. At Google Cloud’s Office of the CISO, we know that CISOs are revenue protection officers. The challenge for CISOs is that they face broad compliance requirements, and consequently CISOs can ask for a big budget to implement controls when they’re not even sure if they match the organization’s workloads.

From an economic perspective, CISOs should want to make sure that service is preserved by assessing what the organization actually does, analyzing the threats to that service, and focusing on what should be done to counter those threats. That’s where economic threat modeling comes in: It's the elevation and use of threat modeling as a way of thinking about, identifying, and managing risk in a financially responsible way.

Doing this at the highest levels in the company is also a way of demonstrating the importance of a security mindset across the organization, establishing a security culture, and building support for threat modeling in product and service engineering. Rather than using a compliance-based approach, we recommend building on the threat modeling framework, where we ask four questions:

1. What are we trying to do?
2. What could go wrong?
3. What can we do about it?
4. Did we do a good job?

Start by identifying threats

Threat modeling has long been identified with application security, and even in that context, seldom done consistently. However, because the fundamental thinking behind threat modeling is a core security skill, it can help us drive the right organizational decisions and resource allocation by helping us apply threat-informed defense.

To approach the CISO’s work from this perspective, we suggest starting with a curious mindset: We should want to deeply understand the business objectives and revenue engines of the organization, and dive into the mechanisms by which we earn economic returns as a business.

Make a diagram of that economic flow, similar to a data flow diagram for application design. Bring in our colleagues in finance, operations, sales, and support to build a common understanding of how we make money.

Next, ask what could threaten those mechanisms. How could an adversary disrupt the economic engine of the company, including through direct attacks on the revenue-generating system and indirect hits on suppliers and distributors.

For example, healthcare organizations should look at ways that claims revenues could be disrupted by direct attacks on clinical and operations systems, and indirectly through attacks on essential services such as blood supplies and other critical materials for patient care.

Address threat mitigation

Once threats have been identified, we can ask what we should do about it. We may need greater traditional investments in technology and security controls, such as security operations, but we may also need to diversify suppliers to eliminate sole-source dependencies.

Consider building ready, redundant systems that are closely tied to revenue streams, as well as rigorous, regular tabletop exercises and business-continuity planning. Having made the connection between the spend and the revenue protection clear, we should find our business colleagues more amenable to our budget requests.

Compliance obligations are important to meet, of course. From the point of view of the economic threat model, their importance is tied to a commercial outcome. They’re critical to the way we earn revenues, such as when a large purchaser requires a certification as part of a contract.

Did we do a good job?

Finally, we can ask if economic threat modeling helped us achieve our goals. Here we want to have the right metrics and measures that show that the control investments did, in fact, protect revenue streams and ensure continuity of the business.

This retrospective also allows us to identify controls and processes that did not yield any protective return and eliminate them, recognizing that every control we apply has a cost. The level of accountability ties security to the financial engines of the company. No longer are we simply a cost center, but an intrinsic part of the way the company earns economic returns.

Economic threat modeling: The healthcare industry

Many healthcare organizations, particularly those in under-resourced communities, struggle to find the right talent and budget for security.

CISOs and security leaders should be looking at the core revenue engines of a typical hospital and strive to understand how revenue is earned. Budget requests should be tied directly to the services and systems that are crucial to earning patient revenues.

These systems include radiology and lab equipment, patient and provider scheduling, and billing and revenue cycle management services. Do a specific analysis of the patient revenue flows and take a deep look at the threat landscape of exploits used to target devices, systems, and staff.

Security leaders should meet with the financial and clinical leaders and use the four-question framework to diagram a clear picture of the ways in which the hospital earned its money. By tracing the flows and interconnections of dependent systems and suppliers for the most common and profitable service lines, they can begin to model the threats that could interfere with these revenues.

Once economic threats have been identified — such as what would happen to surgical case earnings if a dependent system like HVAC were to be brought down for a week — we can look at how the application of technical, administrative, and procedural controls can be used to design appropriate measurements for return on investment of those controls.

Controls that were expensive and offered no threat mitigation could be eliminated, and the budget used elsewhere. New service lines and acquisitions could be evaluated and brought into this modeling, and the right security controls could be applied to the design or onboarding.

How to get started with economic threat modeling

Adapting threat modeling is a cultural transformation. As teams collaborate on threat modeling as an integrated practice across the organization, they learn to anticipate issues that may arise and can begin to avoid likely classes of attack by eliminating them from the designs.

Teams should see the organizational values expressed in the design process. To ensure consistency and continuous improvement, and to grow the program's capabilities:

• Codify best practices and use repeatable patterns: Create reusable security artifacts and reference architectures that serve as secure blueprints for future projects. Then automate with security-as-code using tools like Terraform or deployment manager to create "factories" of secure components that engineers can readily use. This ensures consistent application without requiring extensive individual training for every decision.
• Use technology: AI-driven threat modeling platforms can make the process both more efficient and consistent across the company.
• Identify the owners and builders: Threat modeling is inherently a collaborative process that bridges traditional silos. It brings together diverse stakeholders across various business units to align on threats, exploitability, and their impact on the business. While a central security team may guide the program, the execution is distributed, with development and engineering teams being key participants.
• Make a financial case and secure funding: The financial justification for threat modeling is built directly on its economic benefits. It significantly contributes to maximizing Return on Security Investment (ROSI) by providing the data needed to prioritize and make rational, risk-based decisions on security control investments.

Threat modeling in the evolving AI landscape

The challenges in securing modern systems underscore the enduring relevance of threat modeling. While new technologies may present old problems in new clothing, new threats tied to enormous data sets, data poisoning, and recursive pollution have also emerged.

Threat modeling frameworks that can identify distinct threats for AI systems become crucial in navigating this evolving landscape and understanding the data that systems "eat". Similarly, threat modeling in cloud environments can help organizations navigate the complexity of layered, shared responsibilities, and shift the focus from traditional perimeter-based security to more nuanced considerations, including enforcing least privilege and securing service-to-service communication.

More than a technical exercise, threat modeling is the foundational activity that transforms secure by design into an organizational practice. By focusing on the financial impact of threats, informing capital allocation, enhancing operational efficiency, and fostering a collaborative security culture, economic threat modeling can become a strategic investment in both the security and overall resilience of your organization.

To learn more about what we are doing to apply threat modeling and threat informed defense as a transformative security practice, check out our CISO Insights Hub.