Sorry Consumers, Companies Have Little Incentive to Invest in Better Cybersecurity

Hermin/Shutterstock.com

The actual expenses from the recent and high-profile breaches at Sony, Target and Home Depot amount to less than 1% of each company’s annual revenues.

Another month, another data breach, and another set of proposals for what is seemingly an intensifying cyberattack problem.

When we examine the evidence, though, the actual expenses from the recent and high-profile breaches at Sony, Target and Home Depot amount to less than 1% of each company’s annual revenues. After reimbursement from insurance and minus tax deductions, the losses are even less.

This indicates that the financial incentives for companies to invest in greater information security are low and suggests that government intervention might be needed.

To date, though, few of the policy proposals aimed at improving information security are directed towards the root cause of this problem. Rather than creating incentives for companies to invest in better information security, the Australian, UK and US government proposals are for more information sharing than securing. In all cases, this sharing is to be done with intelligence agencies. Why is this and what does it tell us about what the real cyberthreat to our information is?

The real fallout from data breaches

The now infamous Sony breach supposedly perpetrated by North Korea at the end of 2014 drew initial loss estimates of more than $100 million. In the end, the breach did not actually cost Sony very much at all.

In its Q3 2014 financial statements, the company wrote that the breach resulted in “just $15 million in ‘investigation and remediation costs’ and that it doesn’t expect to suffer any long-term consequences.” A senior general manager later said the figure would be closer to $35 million for the fiscal year ending Mar. 31.

To give some scale to these losses, they represent from 0.9% to 2% of Sony’s total projected sales for 2014 and a fraction of the initial estimates.

How about costs like reputation damage and lost sales? Sony’s bottom line actually wasn’t hurt by the hack. Consider that around a quarter of the typical movie budget is marketing. The Interview cost $44 million to make, which implies a conservative estimate of $11 million for marketing. This amount was likely ratcheted down following the breach and the subsequent free worldwide media frenzy.

The film made a profit and has so far grossed $40 million in online sales and $6.7 million in cinemas worldwide. If anything, the free publicity for a new movie on cable news, across social networks and daily newspapers, at Christmas to boot, represents a net financial benefit to Sony. There’s no such thing as bad press, after all.

Target was also subjected to a particularly nasty data breach in late 2013 involving 40 million credit and debit card records and 70 million other records (including addresses and phone numbers).

In its latest financial statements, Target said the gross expenses from the data breach were $252 million. When we subtract insurance reimbursement, the losses fall to $162 million. If we subtract tax deductions (yes, breach-related expenses are deductible), the net losses tally $105 million.

This is the equivalent of 0.1% of 2014 sales.

Finally, Home Depot suffered a breach last year that resulted in 56 million credit and debit card numbers and 53 million email addresses being stolen.

The net expenses incurred by Home Depot ended up at $28 million following an insurance reimbursement of $15 million. This represents less than 0.01% of Home Depot’s sales for 2014.

Moral hazard rears its head

These numbers suggest that we have a market failure relating to asymmetric information, which results in the problem of “moral hazard” for private companies in the area of information security. Moral hazard occurs when one person or organization takes greater risks because others bear the burden or costs of those risks.

For an example, credit and debit card providers incurred the most costly part of the Home Depot breach. Credit unions claim to have spent $60 million in Sept. 2014 alone replacing compromised cards. Each customer whose card had to be replaced also incurred a cost in terms of inconvenience.

It therefore does not make economic sense for companies like Home Depot to make large investments in information security. As a result, they do not. The insurance pay-outs and tax deductible breach-related expenses weaken the incentives even more.

Reliable data on the amounts companies spend on information security are scarce. However, due to the nature of their business and the vital role that information security plays in it, we know that banks and financial institutions are some of the biggest investors in robust information security.

JP Morgan’s CEO, Jamie Dimon, says his firm spends $250 million each year on cybersecurity. To put that in perspective, that constitutes 0.35% of the JP Morgan’s annual expenses.

If that’s how much a firm whose very existence rests on preventing data breaches, one can only imagine how much the average firm invests in information security.

The growing slew of government proposals

In the presence of this market failure, the case for government intervention becomes strong. When we look at the proposals currently on offer though, rather than better securing information they seek to increase access to it – for certain organizations only.

The most recent of these proposals in Australia is the mandatory metadata retention scheme. This will involve retaining and sharing people’s metadata for two years (representing an additional information security risk in of itself due to the centralization of information), cost $400 million a year and be overseen by the nation’s intelligence agencies. According to prime minister Tony Abbott, if not passed, this will represent a “a form of ‘unilateral disarmament’ in the fight against crime.” (these crimes include, “cyber attacks, child exploitation, terrorism activity and other crimes.”)

To try and put this spending in perspective, figures released by the western Australian government suggest that $17 million was lost to online scammers last year. If we scale this up to the total Australian population and add the $254 million lost to online (“card-not-present”) credit and debit card fraud nationally in 2013, the total losses from these online crimes still don’t exceed the yearly cost of Abbott’s proposal! There must be some other reason to justify this spending.

One possible answer: in 2010, one of same the agencies within the Australian intelligence community that is proposed to oversee the metadata retention scheme “obtained nearly 1.8 million encryption keys from Indonesian [telecommunications company] Telkomsel,” for the purposes of “conducting surveillance of a US law firm retained by the Indonesian government for trade talks.” This last phrase suggests that the real value in greater information sharing with intelligence agencies does not come from fighting online crimes.

In the US, president Barack Obama recently announced a Cyber Threat Intelligence Integration Center. Tasked with facilitating information sharing between private and public sector entities, it will start with a budget of $35 million and will be overseen by the director of national intelligence.  Information security experts widely agree this will not significantly reduce data breaches.

Prime minister David Cameron also has proposals to combat cybercrimes ranging from banning encryption in the event the government has no backdoor to decrypt communications (again, something that would undermine the security instead of improving it) to a number of information sharing measures between the UK and US. This would include “establishing a joint cyber cell” between the UK’s Government Communications Headquarters and MI5 and their US partners, the National Security Agency and the Federal Bureau of Investigation.

These organizations already collaborate quite a bit and it is not for improving information security. The news broke two weeks ago that operatives from the NSA and GCHQ “joined forcesin April 2010 to crack mobile phone encryption” by stealing billions of encryption keys from Dutch SIM card provider Gemalto. This has some of the biggest negative repercussions on information security we’ve ever seen to everyone, globally, as Australian senator Scott Ludlum tried in vain to explain last month.

More questions than answers

Given that the losses to companies due to data breaches are so low, typically less than 1% of a company’s annual sales, and the losses so widely distributed, why are so many costly proposals being made by governments around the world to do something about the online threat?

The presence of moral hazard does suggest that there is a role for government to play in creating incentives for private companies to invest more in information security.

Why then do none of the current crop of government proposals address this problem? More costly than the problems they supposedly address, if anything, they create a disincentive for companies to make this needed investment by promising blanket protection from cyber-attacks. The Australian and UK proposals may actually degrade information security by centralizing data and undermining encryption.

This might be exactly the point, though, when we look at which agencies are to be engaged in these proposals.

Improving information security should fundamentally involve securing information, yet all the current proposals involve greater information sharing with intelligence agencies. Why are the same agencies that have been shown to be active in undermining the information security of private firms such as Indonesia’s Telkomsel or the Dutch Gemalto – and all of their customers (anyone with a cell phone – so all of us) – as a consequence of these actions, being tasked with better securing our information?

If we don’t identify and address these contradictions, we run the risk of creating something much worse than the current information security problem. The latest slew of government proposals raise more questions than answers regarding information security – and they are very concerning questions indeed.

(Image via  / Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.