Attivo Networks Blogs

Cyber risk management and return on deception investment

Help Net Security Logo

This article is fifth in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of how deception fits into information risk management strategies and how organizations can answer C-level ROI questions for justifying deception.

Cyber risk management and deception

Perhaps the most foundational objective for any enterprise cyber security team is the proper management of risk. Too often, teams get caught up in the day-to-day operational issues of cyber security – and they tend to forget that their goal is risk management of cyber-related issues. This requires balancing security protections with the cost and effort required to prevent, detect, or respond to an incident.

This view of risk management as a driver for security protections helps senior leaders place cyber security into more familiar business contexts. Managers and executives understand risk, so when they can integrate unfamiliar concerns about hacking, malware, and exploits into more familiar and well-known risk models, then they become more comfortable with the security team’s operational, funding, staffing, and investment requirements.

Deception technology, it turns out, is a protection method that is best viewed in the context of risk management. That is, when enterprise teams decide to deploy deceptive assets, the goal should be to cost-effectively reduce cyber risk to the organization. This is an important view, because it reinforces the point that the best cyber security controls are never designed to remove all risk, but rather to reduce the likelihood and/or negative consequences of a breach.

C-Level ROI considerations

The development of meaningful return-on-investment (ROI) metrics for cyber security has been an elusive goal for many years. This is true for any type of security control, simply because one cannot measure what does not happen. The good news, however, is that methods do exist for demonstrating ROI in the context of familiar metrics for security, and deception technology plays an important role in the optimization of these quantifications:

  • Vulnerability Metrics – Every security team keeps track of relevant vulnerabilities, often using penetration testing or bug bounty resources. Including deception will help to identify vulnerabilities during internal or external testing, and for more advanced deception platforms, in advance of testers finding them. This can improve metrics for vulnerabilities by identifying them sooner or discovering them on non-operational assets.
  • Budget Metrics – The workflow automation available in advanced deception platforms helps to reduce the need for staff, budget, and capital in active cyber defense. This is one of the most important metrics of all, since it demonstrates the ability to manage risk without the need for continually increasing funding, though this capability is not present in all deception platforms.
  • Incident Response Times – The cycle times for incident response can be lengthy, often because determination of adversary tactics and root cause of issues can be particularly difficult. Deception plays a role in reducing the time to understand adversary behavior, and thus create better root cause analyses.


Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

14 − 3 =

Ready to find out what’s lurking in your network?

Scroll to Top