A new report released March 1 from the Center for Strategic and International Studies (CSIS) and Intel Security [INTC] finds attackers have the advantage in cybercrime while defenders are bound by bureaucracy in a set of misalignments.
The report, Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity, is based on interviews and an international survey of 800 cybersecurity professionals from five industry sectors: finance, healthcare, public education, IT and telecoms, and the public sector/government. Respondents worked at companies ranging from 500 to over 5,000 employees in the U.S., United Kingdom, France, Germany, Brazil, Japan, Singapore, Australia, and Mexico.
Survey respondents focused on those with executive-level responsibility for cybersecurity and operators with technical and implementation responsibilities for cybersecurity.
CSIS and Intel highlight there are three main areas of misaligned incentives that help cybercriminals: fluid attackers versus bureaucratic defenders; organizational strategy versus real-world/actual implementation; and executives versus implementers who measure success differently.
The report notes cybercriminals have the advantage largely due to incentives for crime that create a big business in a fluid and dynamic marketplace whereas defenders have to operate in clumsier bureaucratic hierarchies that react more slowly.
“Attackers work in environments where there aren’t a lot of rules. There isn’t structure. There isn’t bureaucracy. They don’t need to ask permission or get approval to do anything,” Candace Worley, vice president of Enterprise Solutions for Intel Security, said at a CSIS event where the report was released.
“Now, juxtapose that to the typical large organization where to implement a policy change not only does it have to go through a change control process, if it’s a material change it’s going to have to go to an executive level for approval. What that does is it slows down the process of making decisions,” she added.
The report says further misalignments occur within defender organizations. Over 90 percent of organizations report having a cyber security strategy but less than half have been fully implemented. Amid this discrepancy 83 percent of respondents said their organizations have been affected by cyber security breaches.
Non-executive respondents were more than three time more likely than executives to view shortfalls in funding and staffing as the main cause for problems implementing cyber security strategy.
Moreover, while cybercriminals have direct reward incentives, defending professionals have fewer incentives. Executives were also more confident than operational staff about the effectiveness of existing incentives. The report says 42 percent of cyber security implementers reported no incentives exist but only 18 percent of decision-makers and 8 percent of leaders felt the same way. Despite the incentive issues for defenders, 65 percent of respondents said they are personally motivated to strengthen their organizations’ cyber security.
Worley explained in a statement that whereas the criminal market is primed for success by its structure, rewarding innovation and promoting the best tools, “for IT and cyber professionals in government and business to compete with attackers, they need to be as nimble and agile as the criminals they seek to apprehend, and provide incentives that IT staff value.”
The report says the incentives for speed and focus do not exist in the same way for defenders. However, incentives can be changed. “Companies have successfully experimented with their business models and structure to become more dynamic and innovative in order to remain competitive. The same sort of experimentation is necessary if cybersecurity is to keep up with the attackers,” it says.
Denise Zheng, director and senior fellow of the technology policy program at CSIS, added that while it is easy to develop a strategy, execution is hard. “How governments and companies address their misaligned incentives will dictate the effectiveness of their cyber security programs. It’s not a matter of ‘what’ needs to be done, but rather determining ‘why’ it’s not getting done, and ‘how’ to do it better.”
However, the report raised ways defenders communities can learn from attackers. This includes choosing security-as-a-service to counter the criminal market’s cybercrime-as-a-service model; using public disclosure; increasing transparency; lowering barriers to entry for the cyber talent pool; and aligning performance incentives from senior leaders down to operators.
The good news, according to the report’s authors, is that most companies recognize the seriousness of the cybersecurity problem and are willing to address it.
“We focus on governance, the processes, rules, and structure companies use to manage, make decisions on resources and technology, and compete—because these processes will usually be slower and less nimble than the market forces that drive attackers. This is in some ways inevitable, but it can be minimized through organizational innovation. Each company will need to identify innovation that best fits its business model and structure,” the report says.
The report also finds that 95 percent of organizations experienced the effects of cyber security breaches. This includes disruption of operations, loss of intellectual property (IP), and harm to reputation and company brand. Conversely only 32 percent of respondents reported experiencing revenue or profit losses due to cyber attacks, which may lead to a false sense of security, the report says.
The government sector was also the least likely sector to report having a fully-implemented cyber security strategy, at 38 percent. Likewise, it had a higher share of agencies with both inadequate funding (58 percent) and staff (63 percent) than the private sector (33 percent and 43 percent, respectively), according to the report.