Another month, another data breach, and another set of proposals for what is seemingly an intensifying cyberattack problem.
When we examine the evidence, though, the actual expenses from the recent and high-profile breaches at Sony, Target and Home Depot amount to less than 1% of each company’s annual revenues. After reimbursement from insurance and minus tax deductions, the losses are even less.
This indicates that the financial incentives for companies to invest in greater information security are low and suggests that government intervention might be needed.
To date, though, few of the policy proposals aimed at improving information security are directed towards the root cause of this problem. Rather than creating incentives for companies to invest in better information security, the Australian, UK and US government proposals are for more information sharing than securing. In all cases, this sharing is to be done with intelligence agencies. Why is this and what does it tell us about what the real cyberthreat to our information is?
We have a market failure relating to asymmetric information, which results in the problem of “moral hazard” for private companies in the area of information security. Moral hazard occurs when one person or organization takes greater risks because others bear the burden or costs of those risks.
For an example, credit and debit card providers incurred the most costly part of the Home Depot breach. Credit unions claim to have spent $60 million in September 2014 alone replacing compromised cards. Each customer whose card had to be replaced also incurred a cost in terms of inconvenience.
It therefore does not make economic sense for companies like Home Depot to make large investments in information security. As a result, they do not. The insurance pay-outs and tax deductible breach-related expenses weaken the incentives even more.
Picture: Jaberwokkee (Own work) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)%5D, via Wikimedia Commons