Continued investment, and continued data losses: Do we know what cybersecurity policies return on investment?

As appeared in Via Sarfatti 25, the Bocconi University magazine

Cybersecurity: The new goal rush

Governments in Italy, Europe, and the United States have invested millions of Euros in cybersecurity. There are new “chief cyber officers” in many governments, new agencies focused on cyber, and reams of new cyber-related regulation. Many major companies in the United States and Europe are now required, under different regulations, to report a data breach or hack to their regulations quickly. In turn, both private- and public sectors are on a cyber hiring spree.

The reasons for this huge investment seem obvious. We are all inundated with notifications about lost data, and many governments themselves have been cyber-attack victims. The never ceasing drumbeat of losses and outages seem like an obvious reason to continue major investments in cybersecurity.

What are governments actually investing in?

But when governments invest in cyber security, what are they actually investing in? Some of the investment is into developing a country’s “cyber intelligence” capabilities, or their ability to anticipate possible attacks and attackers, and share information about them. But just as much effort also goes into setting up networks, computers, and devices to be resistant to attack. Governments have invested billions in people and processes to make sure their computers do not run without antivirus, and mobile phones get their software updated. They are also building regulations to make sure that other, essential companies do the same. This huge cyber investment is just as much about the basic “machinery of government”–people and processes–as it is fancy software.  

But despite these years of investment, attacks and losses continue to mount. Ransomware for hire – or services that allow an attacker to remotely encrypt someone else’s computer, and demand payment to undo it – is more popular than ever before. Although Russia’s war in Ukraine did not include any massive network meltdowns, it did include a variety of cyberattacks, demonstrating the continued vulnerability of Ukrainian and Western systems.

With this contradiction–huge investment in protection, but continued losses–how will we know our cyber investments are worth it? What’s the “return on investment”? Although the answer seems obvious – the more we invest, the safer we are – the current cyber contradiction seems to challenge that. 

We don’t measure the impact of cybersecurity investments and we should.

For the last several years, I have been asking technology leaders in government and private sector how they measure the impact of their work. Often, they demurely smile or look at the table. A few offer simple answers: the number of people they serve, the number of vulnerabilities they identify, or the number of attacks to which they respond. But none have articulated a way to measure how safe their work will make us, and how that compares to the cost.

A few scholars are trying to answer these questions. One approach is to calculate, using economic models, the possible costs to country’s economies of various signs of cyber-attacks. If a government’s investment in cybersecurity hold off such attacks, the averted cost is a measure of the investment’s value. Another approach is to articulate all of the possible harms that can befall an organization under attack, and count the number that you avert. These approaches, although not widely applied, are a start to measuring some form of value.

Some even argue that it’s not possible to really establish the ROI of cybersecurity investment. Can you really put a price on a sense of security? Do we ask the same of our investments in military? There are certainly real challenges in measuring all the kinds of value that a cybersecurity effort can bring.

But it’s worth the effort to try to establish the real impact of government cybersecurity investments. Every investment involves a trade-off, another priority not as well funded. And often, cybersecurity activities trade-off security with privacy, or ease of access to information. Governments, civil society and citizens themselves should keep asking: how do we know this cybersecurity requirement, process, action is worth the effort?