NCAA’s March Madness and the NBA playoffs are some of the most exciting sports events to watch all year. To the casual observer, basketball hasn’t changed much over time. However, the overall strategy of the game has actually undergone major changes in the last decade. We can attribute the changes to “basketball economics.”
The figure below, courtesy of FiveThirtyEight.com, shows NBA shooting percentage (i.e., percentage of shots made) over a recent five-year span. A couple things should be noted here. First, there is an expected drop-off in shooting percentage the farther away from the basket players shoot from; however, the drop-off is not extreme. For example, for the mid-range jump shot (area in light tan), the field goal percentage is around 40-45%. For shots outside the three-point line (where shots score 50% more points), the percentage drops to 30-35%.
Let’s look at the shooting economics in the chart below:
In basketball, shots are a “scarce resource.” There are only so many shots a team gets in a game. Therefore, the objective is to maximize the number of points per shot. Shots with the greatest expected return are in the green areas – right near the basket and outside the three-point line. The purple areas return a points-per-shot rate at undr one. This chart epitomizes the thinking that Daryl Morey, the general manager of the Houston Rockets, brought to the NBA. “Moreyball,” as it is called, is characterized by taking a lot of three-point shots and taking almost no mid-range jump shots.
One of the best players in the NBA, the Rockets’ James Harden, has adopted Moreyball as well as anyone in basketball. Let’s look at his shot chart below:
Harden leads the NBA in scoring with almost 35 points per game. Note how closely his shot selection matches up to the optimal points per shot in the previous chart.
This is all interesting, but what lessons can cyber professionals learn from basketball? First, we need to start re-thinking about cyber defense in economic terms vs. “best practices.” Security spending is a scarce resource for almost all organizations.
The figure below depicts the relative prevalence of threat Tactics, Techniques & Procedures (TTPs), courtesy of the Detect Tactics, Techniques & Combat Threats (DeTT&CT) team and Fireeye’s M-Trends report. The TTPs are mapped on the MITRE ATT&CK navigator. The darkness of the red shading represents the TTP prevalence.
There are important insights to be garnered from looking at the data this way. For example, it makes the most economic sense to concentrate resources on detecting and blocking TTPs that are the darkest red, since those TTPs are used most often. However, how do you know which TTPs you are able to block and detect? The answer is to run attack simulation in your environment. Just as the Houston Rockets set their shooting strategy based on the scoring analytics, organizations need to map their defense strategy against the threat analytics.
At Bobcat Cyber, we are helping organizations develop their defensive strategy using advanced cyber analytics. Just as analytics have drastically changed professional sports, analytics will change security strategy based on real data, not so-called “best practices.” Security dollars are scarce. Organizations need to plan their spending wisely.