Prioritizing Security Spending: A Quantitative Analysis of Risk Distributions for Different Business Profiles

This paper aims to understand if, and to what extent, business details about an organization can help provide guidelines for better resource allocation across different preventive measures, in order to effectively protect, detect, and recover from, different forms of security incidents. Existing work on analyzing the distribution of risk across different incident categories, most notably Verizon’s latest Data Breach Investigations Report, provide recommendations based solely on business sector information. In this paper, we leverage a broader set of publicly available business details to provide a more fine-grained analysis. Specifically, we use incident reports collected in the VERIS Community Database (VCDB), as well as data from Alexa Web Information Service (AWIS), to train and test a sequence of classifiers/predictors. We show that compared to using business sector information alone, our method can achieve the same accuracy by allowing organizations to focus on a sparser set of incident types, thus achieving the same level of protection by spending less resources on security through more judicious prioritization.