Economics of Cybersecurity Deep Dive

By Pratima Harigunani

They were supposed to be Red Flags. But security loopholes are turning out to be red carpets that enterprises leave for the bad guys to waltz in on. And these carpets bleed red – on business bottom-lines as well as embarrassed faces. What are we missing here?

A sleuth who has already cracked the mathematical formula of cyber-security investments would be the best person to ask about some current brain twisters that keep CISOs, and CIOs, awake and anxious. The very mind who co-conceived the well-known, and the-very-handy, Gordon-Loeb Model, Dr. Lawrence A. Gordon, the EY Alumni Professor of Managerial Accounting and Information Assurance at the University of Maryland’s Robert H. Smith School of Business, has been working deeply on the complex, but fascinating, crossroads of cyber-security and economics. His refreshing, and bold, research-work straddles areas like economic aspects of cybersecurity, corporate performance measures, cost management systems, and capital investments. The author (or coauthor) of several books like Managerial Accounting: Concepts and Empirical Evidence, Managing Cybersecurity Resources: A Cost-Benefit Analysis, and Capital Budgeting: A Decision Support System Approach’— he is truly a pioneer in the mystery-land of cybersecurity economics. As someone who says out loud that ‘a CISO has the toughest job today,’ he is the right person to talk about the ROI angle of security, the herding effect, and the question of should-you-or-should you-not pay for ransomware? So, let’s look into the test tubes while we hear some violins, shall we?

Is cyber insurance and security an economic problem or a technological problem?

Gordon: It is an interdisciplinary issue. It is like a Venn diagram and many subjects like economics, computer science, finance, psychology, engineering, public policy, etc., intersect each other. The bull’s eye of this diagram is computer science. But everything in, and around, this core is affected by economics, psychology, etc. I have been an academician and working in economics and accounting domains for 20-25 years. But when we created the cybersecurity investment model, we discovered the beauty of these intersections too. Cybersecurity investments are, inherently, driven by economics. You cannot put all your money in cybersecurity. You do not want to spend more than the benefits. For a company, security is not the business it is in. It is something else. So, what is the right amount? That decision entails a lot of factors. 

What about the Ceteris paribus aspect here – do some factors, and different contexts, affect the outcomes of the model?

Gordon: Yes, there should be no unreasonable assumptions. First, never assume anything like 100 percent security. Second, remember the marginal returns aspect of returns of investment. So based on how you look at fixed costs and how your returns diminish – things would change.  

Yours is a well-avowed model and it simplifies cybersecurity investments in a refreshing way. What was the most heartening moment when you saw the model really making an impact?

Gordon: We never expected the model to stir so much interest. We never imagined it until it exploded the way it did. I get a number of emails every day – including those from people with a hard-core computer science background – and a lot of them moved from ‘skepticism’ to ‘how’ and ‘wow.’ To my knowledge, it is the best-known model for a company trying to decide how much to invest in cybersecurity. It feels good to see that it is adding some value and direction to the approach organizations take towards security. I recall how the U.S. Better Business Bureau recommended the Gordon-Loeb Model as a guide to help small businesses make cybersecurity investment decisions. I was also invited to provide Congressional testimony concerning cybersecurity economics research before the Subcommittee of the U.S. House Committee on Homeland Security. It was so fascinating. It means a lot because in the U.S., almost 95 percent of companies are from small businesses, and they contribute in a substantial way to the GDP. They wanted to encourage companies to take cybersecurity seriously. It is like fire insurance. In order to get one, you have to do a lot of homework and analysis which, in a way, strengthens your posture.

What can be a good Pigouvian tax to incentivize cybersecurity and discourage carelessness/reactive approaches here?

Gordon: The tax makes sense due to social costs. It means there is an externality. Like second-hand smoking’s impact on society or the hospital costs that fall upon the society due to a smoker – hence, the tax that disincentivizes smoking. In case of cybersecurity a lot of externalities are hard to figure out. A lot of companies only think of private costs but not about externalities. In case of a breach, there is downtime, but also time taken to correct the disruption which affects other businesses and users – and then there are lawsuits, loss of customers and loss of business that other businesses in the ecosystem or chain suffer due to the breach that hit the main company. These are externalities. These are social costs.

A 2020 Sophos Ransomware report showed that 32 percent of companies paid ransomware but only 8 percent got all their data back. What should we be reading into here?

Gordon: From a company’s point of view, it is a cost-benefit decision. In most cases, it would pay to pay – if we look at it from a private cost angle. But when we think of externalities, the scenario changes. Now you have to think—if I pay, the bad actor has an incentive to go after people again. In my view, if we go by this finding, then this decision to pay is not great even from a private cost angle.

Can something like herd immunity work with cybersecurity?

Gordon: Sure, it helps supply chain and partners. Some degree of herding can have benefits because of externalities. The stronger the system of an enterprise from a security angle, the greater is its herding effect. But another aspect of herding is that if a competitor does it, then you have to do it too. Like – how the Target fiasco reset the card-chip imperatives for all other companies.

Can the beautifully-but-stubbornly complex world of cyber economics gain from a better assessment of variables and correlations? Anything we can see in the natural experiments suggested by Nobel Prize Economics 2021 winners David Card and Joshua Angrist for determining how causal relationships work?

Gordon: Yes, for instance, we can take healthcare and economy data and study it before HIPAA, and after HIPAA, to isolate the effects of HIPAA. Similarly, we can study the number and severity of breaches due to a given factor. Or study the effect of GDPR in a comparative way for North America and Europe. Such ideas can be good examples of natural experiments. If you were to advise something (without mincing any words) to a CISO/CXO today, what would you say? Any recurring challenge that your former students confront in the business trenches now? I would say—You have got one of the toughest jobs possible. There is nothing like 100 percent security. No matter what you do, the possibility of a breach is always there. Do not make your decisions based on models or consultants or decisions taken by other businesses. Use sound business practice which is distilled from actual experience in the field. Apply your judgement.  

What is your next ambition?

Gordon: I want to create more and more impact across the world. This model is a mathematical framework based on the probability of having a breach, the value of information that the enterprise has, and the chances of productivity of additional investments if a company invests extra money in security. The model, however, is not a substitute for -- but a complement to -- sound business judgement. I cannot tell any businessperson how much to invest. I cannot calculate the probability of the breach. I cannot decide for the company about questions like, what is the value of the information it has? I understand the concepts and if a company knows these three areas, they can arrive at a good investment reference-point. But sound business acumen has to be used.

Posted with permission from DATAQUEST