ANASTASIA PYRINIS – OCTOBER 24, 2017
Cybersecurity is an issue of increasing importance and magnitude in the United States and across the globe. With nearly 90% of U.S. companies reporting that their security systems have been breached and 30,000 websites being hacked a day, it is clear that adequate cybersecurity is necessary. In particular, according to David DeWalt, CEO of FireEye, a company that monitors cybersecurity breaches, hackers focus on “high value” and primarily private sector targets. But while the threat hackers pose to critical private and public systems has amplified, the private sector has failed to respond adequately. This failure has manifested as a lack of private investment in cybersecurity. However, given the rising threat hackers pose to private sector systems, either from a foreign government or a non-state actor, the question is raised: why are private actors choosing to ignore this security risk?
One major reason is that corporations and companies receive minimal marginal benefit from cybersecurity investment. On the whole, the private sector has found that proactive cybersecurity measures, though effective, entail a great deal of upfront cost, a cost that is incurred in the event that a breach occurs. When deciding whether to invest in cybersecurity, the private sector places an emphasis on the probability of a breach. Thus, companies conclude that a reactive strategy rather than a proactive strategy is worth the risk since costs are only incurred if a breach occurs. This mindset is particularly widespread among smaller companies, where smaller budgets translate to a larger budget proportion being spent on cybersecurity investment should they decide to preempt an attack.
According to a paper co-authored by Brent R. Rowe and Michael P. Gallaher of RTI International, a non-profit technology firm, the marginal benefit of cybersecurity investment largely depends on factors that “related to organizational and performance characteristics” which include:
- “An organization’s existing information technology (IT) characteristics;
- The compatibility of available cybersecurity technologies with the current technologies;
- The security needs of the products and services the organization provides;
and the preferences/perceptions of its customers”.
Thus, companies that have not already established proper cybersecurity protocols that fund research, which would increase their organization’s cybersecurity, are at a disadvantage. As a result, they are far less likely to implement a proactive cybersecurity strategy.
Figure 1: Framework of Private Sector Cybersecurity Investment Decisions (Rowe and Gallaher, RTI International)
So what can be done to solve this dilemma? The government has responded by claiming that public intervention is the solution. In an attempt to improve governmental cybersecurity as well as private sector cybersecurity, the United States federal government has been launching a serious of initiatives aimed at developing a stronger cyber-industrial complex in the United States. Partnering with top innovators in cybersecurity, federal authorities hope to create incentives for corporations to invest in proactive cybersecurity measures.
For example, Congress is already in the process of passing Senate bill 1428, the “Small Business Cyber Training Act of 2017,” with the express purpose of providing a “cyber counseling program” that will assist small businesses in their cybersecurity concerns. Additionally, the federal government is in the process of providing resources for corporations to adopt a National Institute of Standards and Technology (NIST) cybersecurity framework, a framework that has been mandated for all federal agencies and is currently considered the ultimate standard in cybersecurity.
These efforts on the part of the federal government come in sharp contrast to the private sector’s inaction and are an indication that at least when it comes to cybersecurity, consumer demand has not led the private sector into adopting effective cybersecurity measures. However, as this issue continues to escalate, it is only a matter of time before consumers start demanding that companies, large corporations in particular, safeguard their information and their systems. In the meantime, however, government intervention may lead to the development of a company culture that favors proactive cybersecurity investment.
Disclaimer: The views published in this journal are those of the individual authors or speakers and do not necessarily reflect the position or policy of The Berkeley Economic Review staff, the Undergraduate Economics Association, the UC Berkeley Economics Department and faculty, or the University of California at Berkeley in general.