Security Supply and Demand: An Economic Approach to Cybersecurity Risk Management

Security Supply and Demand: An Economic Approach to Cybersecurity Risk Management

Cybersecurity risk management is not a purely technical or theoretical endeavor. Information security investments now inform security supply with the aim of reducing data breaches and boosting public perception. However, the demand for greater spending doesn’t necessarily equate to improved defenses.


The disconnect between increased resource allocation and actual readiness stems from the idea that cybersecurity issues play out logically and can be resolved with the usual fixes. In practice, however, both cybersecurity outcomes and anticipated criminal behaviors may not align with rational expectations. Fortunately, there’s an unexpected source of insights about how to reduce cyber risk, manage security supply and guard digital systems: economic theory. Here are three concepts from economic theory you can apply for effective infosec.


Behavioral Economics: Assumed Strength Is Often Critical Weakness


Any cyber risk reduction strategy starts with looking inward and identifying the best practices and IT solutions you already have in place to mitigate potential attacks both actively and passively. Overconfidence can create problems here. As Channel Futures noted, this is a growing issue for IT departments dealing with an increasingly complex landscape of both internal and cloud-based security controls. In fact, recent data from Hiscox suggested that 73 percent of companies aren’t prepared to handle cyberattacks, despite the vast array of infosec tools now available.


The theory of behavioral economics offers an explanation: Despite best intentions, both i ..