Since the 1990s, following the mass introduction of personal computers, the world of information security began to evolve and eventually developed into today's cybersecurity world. Simplified, the function of these worlds is to prevent unauthorized parties from altering, deleting or stealing the data stored in computer systems. One of the basic building blocks of the cybersecurity world, if not the most important one, involves the decision-making process with regard to purchasing. The factor that determines the demand in this field will also determine the future of the field.
As in any business sector, the cybersecurity field is also subjected to the phenomenon of supply and demand. Supply is the responsibility of the manufacturers and developers of products and services who sell their goods to the business, institutional and personal sectors. At the outset, about thirty years ago, the purchasing process was determined mainly by the manufacturers. Initially, there were only the products that the manufacturers wanted to offer. Over time, consumers became wiser and started presenting demands "from the ground." Those demands reflected the failure of the market. The products sold back then failed to solve the problems that had evolved and the gap that emerged generated demand for additional products.
The Rise of the Rating Companies & Testing Laboratories
The reason for the market failure outlined above may be attributed to another factor – the attackers' capabilities. As the gap between the hackers' capabilities and the protection provided by the cybersecurity products expanded, the failure of the market worsened. This state of affairs led the consumers to seek ways to improve the efficiency of the purchasing process. The question of which the consumers became aware was "What should I purchase in order to protect my organization more effectively?" A gap emerged in the market with regard to the purchasing-related decision-making process.
On the one hand, the manufacturers offered products and services. On the other hand, the consumers realized, at ground level, that their organizations were still vulnerable, despite the installation of the products they had purchased. Admittedly, some of the attacks were prevented, but the same gap between the hackers' capabilities and the organizational protection loop continued to expand, becoming known as "The asymmetry of the cybersecurity world." In an attempt to adapt the purchasing process to this asymmetry on the ground, consumers began seeking new measures that would help reduce the existing gap.
One of the measures brought into the game was the employment of 'White Hat Hackers.' These hackers worked for the consumers. The rationale was that if there are hackers on the side attempting to attack and hackers on the side trying to defend itself – the asymmetry will be minimized. Based on this rationale, service and product categories began to evolve in the cybersecurity market which offered consumers penetration/vulnerability tests, risk surveys, and tools for monitoring the organizational network in real time. The manufacturers started employing White Hat Hackers, and products based on this rationale started to appear in the market.
Another measure brought into the game consisted of rating companies and testing laboratories. The rationale behind this measure was that a third, neutral party should test the products and services on the consumers' behalf. Rating companies employ cybersecurity experts charged with rating products and services for the consumers so as to make the purchasing process more accurate and efficient. Instead of the consumer deciding for himself what to purchase, he seeks the advice of experts. The testing laboratories emerged as a competitor for the rating companies when differentiation depends on the credibility of the recommendation. These laboratories, unlike the rating companies, claim to perform thorough technical testing of the product and to determine whether or not it lives up to the manufacturer's claims.
Despite the measures developed in order to minimize the gap between the investment and the outcome of the consumers' purchasing processes, the asymmetry between cyber-attacks and cybersecurity continued to exist and even increased. Admittedly, consumers grew smarter, but the hackers on the other side of the fence grew smarter, too. Every time a cybersecurity product interfered with their activities, they found a way to bypass it. To make things even worse, technology continued to evolve, too. Cloud computing services were introduced and started challenging the traditional organizational networks. Instead of having the data stored in a known, clearly-defined location, they were uploaded to the cloud and spread throughout the world, through the networks of the cloud service providers – networks the organization was unable to control.
Along with the cloud computing services, smartphones were introduced to the market. These phones are, in fact, computers capable of performing the functions of a mobile phone, among other things, and organizational data were stored in such devices and started to spread to thousands of locations over which the organization has no control whatsoever. The cloud and the smartphone are someone else's computers, and organizations started losing control over their data.
In addition to the aforementioned factors, a third factor that entered the market consisted of encryption services. Internet data encryption protocols like HTTPS became common among web browsers. Encrypted messaging services like WhatsApp and Signal started to emerge. This trend enabled hackers to operate covertly. Moreover, the proliferation of encryption services introduced into the equation a tension between the desire to safeguard the consumer's/user's privacy and the organizations' need to protect their data.
The gap between cyber-attacks and cybersecurity grew even wider. Smartphones and encryption compounded the complexity of implementing cybersecurity, and the decision as to what to purchase became even more complex. Consequently, the culture of the cyber world started to change. Decision makers began to realize that there is no such thing as hermetic protection and the professional discourse around the purchasing processes in cybersecurity shifted from an attempt to provide protection – to risk management. Consumers began to understand that the asymmetry cannot be bridged. The admission of the failure of the cybersecurity market led to the development of the concept of managing the primary risks faced by the organization, as former President Obama once said: "Tall fences around a small yard."
The Invisible Hand Disappears
The question of what is that small yard, which is the only thing that can and should be protected, became critical with regard to purchasing processes in the cybersecurity world. The measures offered to consumers by the market, including White Hat Hackers, rating companies, and testing laboratories, were no longer suitable for the new need that had emerged. For years, those measures had been developed vis-à-vis the question of how to minimize the asymmetry between the hackers and cybersecurity – an essentially technical question. However, the question changed. Risk management attempts to resolve a different question – how to lose less money. In this case, it is an asymmetry between financial investment in cybersecurity and the potential financial losses that might be sustained as a result of a cyber-attack.
Instead of a technical question, the cyber world shifted to addressing a question of money. The question of "How to protect the organization" was replaced by the question of "How can the organization lose less money." Admittedly, the layer of technical solutions developed over the last three decades is still vital and is not expected to disappear, but in the eyes of the purchasing decision makers, the cheese has been moved. New measures were required so as to help the organization define its cybersecurity business risks.
The need that emerged in the market is being addressed by insurance companies that offer to buy a part of the risk the organization faces. When a threat cannot be protected against, the extent of the damage it is expected to inflict should be determined. Such damage may be the result of the stealing of an IP by a competitor, the leaking of customer data, damage to goodwill/reputation, a ransom demand or alteration of information regarding the financial conduct of a company traded on the stock exchange. All of these cases involve economic damage that is very difficult to quantify. In some cases, the damage is apparently infinite. How can you evaluate damage to the goodwill/reputation of a company that is a leader in its field of activity? Insurance companies deal with such risks by using an actuarial equation based primarily on past data from relevant market segments.
The cyber world has not yet gathered sufficient past data to enable the consolidation of an actuarial model, but the demand for insurance is high. Consequently, there has been an increase in the supply of cyber insurance services that are still based on amorphous or limited policies that provide the insurance companies with a way out in the event of a catastrophe. At the same time, the insurance companies are trying to develop ways to deal with the challenge. This market is almost infinite as every company in the world, small, medium or large, is vulnerable to cyberattacks, either directly or through the chain of supply. Some of the ways include on-going monitoring of the organizational security systems, an intervention team for cyber incidents and in some cases – a simple questionnaire, depending on the indemnity amount and the organization.
Along with insurance, another factor that dictates the cybersecurity boundaries to the organization is the government – through regulation. Governments, charged with the task of safeguarding everyday life in the state, have traditionally protected and maintained such critical infrastructures as electrical power, water, food, finance, military, law enforcement and so forth – the primary elements that are essential to maintaining everyday life in a state. However, even governments have come to the realization that in the cyber world, everyone is connected to everyone else. The chain of supply links the entire economy together. Civilians, the business sector, and the critical infrastructures are all linked together in a single automated fabric.
This insight has led states to start intervening in the realm of cybersecurity. The invisible hand, once the hallmark of this world, that independent equation of supply and demand, could no longer exist in a situation where the security concept had failed and led to the adoption of the risk management concept. For this purpose, governments started establishing state cybersecurity centers that came to be known as CERTs (Computer Emergency Response Teams), managed under a government ministry or agency. Through this element, the government conducts two primary processes – monitoring of the sovereign cyberspace and prescribing a risk management importance hierarchy for the business sector.
For business and government organizations, this has meant a significant change in the cyber purchasing process. The selection of which products and services to go for will be determined, to a considerable extent, by the two elements of the new equation – the governments and the insurance companies. From a purely economic point of view, an organization will only invest money in addressing risks that have the potential of inflicting economic/financial losses, as determined by the government or the insurance company. From a legal and statutory point of view, an organization will invest money where regulation compels it to do so – whether the regulation is mandatory or constitutes a mere recommendation. Among others, such regulatory systems include NIST in the USA, GDPR in Europe and the Cybersecurity Doctrine of the Government of Israel.
The Cost of a Cyberattack
Coming of age, normalization or any other title attached to a market of products and services that shift from the margins to the very center of the Gauss curve will describe the change the decision-making process regarding cybersecurity purchasing by business organizations underwent. This process may be likened to a pinball table where the ball – the annual cybersecurity budget of the organization – travels between the regulation flipper and the insurance flipper. The decisions of the product and service manufacturers will converge to provide a solution to these demands from the consumers, and the solutions outside of the definitions of the regulation or the insurance policy will evolve into niches – provided they had survived to begin with.
This is, without a doubt, a tectonic shift in the cybersecurity world, at the end of which the demand curve will be determined by government regulation and an insurance policy. Whereas both demands are intended to prevent, to the maximum extent possible, financial damage to the economy, the proponents of the deterrence discourse will be able to say that this is, in fact, the implementation of the 'deterrence by denial' doctrine, namely – stringent, binding requirements enforced on the entire economy, with the intention of increasing the cost of cyber-attacks. This will in no way eliminate cyber-attacks altogether, but staging a successful attack will cost the attacking side much more.