How Much Money is Needed to Fortify Against Cyberattacks?

Companies worldwide spend billions on cybersecurity each year. A new RAND Corporation study estimates the total could be close to $70 billion and its researchers report the amount could increase somewhere between 10 and 15 percent annually. But is this spending enough to keep our data secure?

To understand the increase in spending, Martin Libicki, a senior management scientist at the nonprofit research organization RAND, co-authored a study comprised of interviews with 18 chief information security officers.

Libicki said in a press release that companies are paying more attention to cybersecurity now than they ever did five years ago. He found:

“Companies that didn’t even have a chief information security officer five years ago have one now, and CEOs are more likely to listen to them. Core software is improving and new cybersecurity products continue to appear, which is likely to make a hacker’s job more difficult and more expensive.”

But going back to the numbers, Lillian Ablon, co-lead author of the study, reported that companies are having trouble “quantifying what they save by preventing malicious attacks. In addition, malicious hackers can be extremely sophisticated, so costly measures to improve security beget countermeasures from hackers.”

The world of cybersecurity is constantly evolving. The way Ablon describes it, the face of cybersecurity reads like a game of chess, as a “continual cycle of trying to eliminate weaknesses and out-think an attacker.” She finds a company’s best defense “is to make it expensive for the attackers in terms of money, time, resources, and research.”

However, as we saw with the Sony hack, if people are determined enough to bring down an institution and find the right back door, they can cause quite a mess to a company’s image and infrastructure. Michael Schrage, a research fellow at the Center for Digital Business at MIT Sloan School of Management, wonders how far the U.S. government’s responsibility extends into cyberspace. Just as the government will go after someone who crosses a border to commit heinous crimes, shouldn’t it also be obligated to defend its citizens who find themselves the victims of cyberattacks?

But, according to Libicki, most of the security officers interviewed didn’t want the government’s help. The RAND researchers, however, disagree with this view, believing that the government could play a valuable role in building a more complete body of knowledge all companies can use.