The glorified economic values around cyber security

Figure 1 (source)

Almost every source presenting financial facts in cyber security will astonish you with figures going into the area of hundred billions, giving you the impression that, if you work in the industry, you must be one of the luckiest guys in the world to work in such a profitable area. Nevertheless, caution must be used around such statistics, as with any other statistics, that although providing good hints usually need to be updated according to specific business contexts.

When measuring cyber security, different metrics are usually observed “in the wild”.

Metric 1: The cost of incidents

One of the most popular metrics is the cost of incidents/breaches. One is always shocked and intrigued when confronted with the loses that he might encounter due to a cyber-attack.

Cybersecurity Ventures, a great resource for security related analytics, predicts through its 2019 Official Annual Cybercrime Report that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. The report calls this “the greatest transfer of economic wealth in history” and “more profitable than the global trade of all major illegal drugs”. Wow, that’s quite something!

The claims are supposedly supported by an exponential increase in the global attack surface (4 billion internet users in 2018, 200 million IoT objects in 2020, online data volumes 50 times larger in 2020, 300 billion passwords to be protected by 2020 and 111 billion lines of code that are produced each year). These are all impressive figures that clearly raise your interest.

Another trustworthy source in the industry, is the Ponemon Institute with its 2018 Cost of a Data Breach Study. They too provide astonishing figures. According to them the total cost of a data breach is around $3.86 million and the average cost per lost or stolen record is $148, differing by industry, geographical zone, type of incidents etc. All values across the board have peaked since previous years and are predicted to grow in the future.

The whitepaper entitled “The Cost of Malicious Cyber Activity to the U.S. Economy” published early this year by the Council of Economic Advisers of the White House, mentions that “We estimate that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016” and that the loss was about $498 million per adverse cyber event within the sample size.

2017 Internet Crime Report released by the Internet Crime Complaint Center (IC3) also mentions total losses of $1.4 billion from 300.000 complaints. This report constitutes quite an accurate source and most of the complaints reach the FBI for investigation. But we do not know how many of them are validated and truthful in the end.

Metric 2: How much we spend with cyber security

Another widespread metric used in cyber security is related to overall spending for cyber security. It can come in different flavors, such as per company, per industry, per country or region, as well as globally.

Again, according to Cybersecurity Ventures 2019 Official Annual Cybercrime Report, global spending on cybersecurity will exceed $1 trillion cumulatively for the 5 year period from 2017–2021. That’s roughly 200 billion per year.

Gartner, a renown research and advisory company, estimated that “worldwide spending on information security products and services will reach more than $114 billion in 2018[…]. In 2019, the market is forecast to grow 8.7 percent to $124 billion” (source). According to the same source the top three drivers for security spending are (1) security risks; (2) business needs; and (3) industry changes. I would add to that the new regulatory requirements, mostly within the EU, such as GDPR and NIS Directive. You can find more details regarding this topic in one of my previous posts.

Gartner goes more into details and provides insights on the spending per segment. You can easily see how security services take more than half of the market size and how low the spending is for cloud security. For most of the market segments in Table 1, Gartner also produces a magic quadrant providing detailed industry statistics and insights. On the managed security services (MSS) market segment SecureWorks is designated as a leader, in the 2018 edition. In the network security equipment market segment we find Palo Alto as leader for the enterprise network firewall category.

Figure 2 — Gartner Worldwide Security Spending by Segment, 2017–2019 (Millions of USD)

Markets and Markets provides such an analysis entitled Cybersecurity Market Global Forecast to 2023, where they forecast the “cybersecurity market size to grow from $ 152.71 billion in 2018 to $ 248.26 billion by 2023, at a Compound Annual Growth Rate (CAGR) of 10.2%”. They also mention that North America currently holds the largest market size, but also that Asia-Pacific region is expected to grow at the highest CAGR followed closely by Europe.

Market Research Future published Cyber Security Market Research Report: Forecast to 2023. According to them the cyber security market has generated $ 147.63 billion in 2017 and is expected to grow by 11.2% CAGR during 2018–2023, reaching $ 251.13 Billion in 2023.

Last but not least, Allied Market Research has also published a study in Nov. 2016, entitled Cyber Security Market by Solutions. In their opinion, the cyber security market is expected to be worth $198 billion by 2022, registering a CAGR of 15.5 %.

Short analysis

There are few deductions that can be made when analyzing the data above.

First, when talking about the cost of an incident/breach, reports do not seem to reach a common denominator. Values differ a lot, based on the type of incident, industry type, organization type and the author of the study. Values per breach can start from thousands to reach millions of dollars. Looking into their methodologies, brings up many more questions. Breach related studies are mainly based on public information and interviews with industry experts and executives. We all know how reluctant companies are when disclosing details about their breaches, so I would classify these sources as being at least subjective. This is a major drawback, in my opinion. I do think that the results of such studies can be easily flawed based on wrong figures, sampling, question formulation, etc.

Also, the cost of breaches was something more popular some years ago, as there were many publishers touching on this area. Some of them have started dropping this initiative (e.g. Verizon’s Data Breach Investigation Report was providing such values some years ago, but not any more). Could this be because of the difficulty in obtaining accurate data? The cost of a breach might not be a reliable measurement, unless you truly possess industry insights and can adapt the figures to your environment. E.g. a bank can always assess its own risk based on another bank’s security incident, given the similarities in assets and operational procedures. Studies in this area can be useful, but you don’t just take such data as it is, you need to apply some adjustments.

Studies investigating the market value, appear to be more harmonized, fact based and objective. Although developed by different publishers, they have similar figures. They all roughly place the cyber security market value, in 2018, somewhere above 100 billion $ and estimate that it would double in the next 5 years. Their primary sources of data consist of public company reports and publicly available statistical data on sales, revenues and stock market. These data are commonly acknowledged as being more accurate than any qualitative methods based on expert interviews, consistently giving more accuracy to such studies.

Conclusions

Market value related studies tend to be more accurate as they reflect a global view of the market. Yet, they do not answer to the frequently met CEO question type “How much do we lose by not adopting security?!”. However, they give plenty of insights into the capabilities of the market, prices, major players etc.

Ooh, and one more little important detail: breach related studies usually come for free, as the market value related studies cost around 5.000 $ per single user license.

In 2016, while working within the EU cyber security agency (ENISA) I have authored a similar study, related to the cost of incidents affecting cyber critical infrastructure. It was a systematic review of publications available at that time, with the scope of assessing the economic impact of incidents in EU. Here are some of the conclusions of the study:

  • Measuring the real impact of incidents in terms of the costs needed for full recovery proved to be quite a challenging task.
  • Although there is a plethora of studies addressing the economic impact of incidents, each one of them examines the topic from a different perspective, focusing on certain industries, using different metrics, counting only certain types of incidents etc.
  • The lack of a common approach and criteria for performing such analyses has allowed the development of rarely comparable standalone studies, often relevant only in a certain context.
  • All types of readers that might be interested in such studies, would have to place the study in their business context, prior to adopting findings or drawing their own conclusions.

I would argue that most of the findings are still valid now! Nonetheless, such studies are a necessity for all players in the market. They might not use academic approaches, but surely, they give enough details to help you position yourself in the market, estimate the level of investments needed and formulate an opinion about potential loses.

Read them wisely!

P.S. A happy and secure new year to everybody!


Originally published at technology-insights.com on January 7, 2019.