Misaligned Incentives in Cybersecurity
The Technology Policy Program tracks new developments in cybersecurity, develops policy recommendations, and brings together the private and public sectors to develop workable solutions to address cyber threats.
CSIS commissioned a survey of 800 companies across multiple countries and major industry sectors, and interviewed technical experts and law enforcement officials on the underground hacker economy to understand the incentives that shape attackers’ and defenders’ behavior in cyberspace. Our report examines how misaligned incentives, both within organizations and between attackers and defenders, put defenders at a disadvantage, and highlights some of the key lessons that defenders can learn from adversaries to improve their cybersecurity.
Cybersecurity is now the number one risk facing organizations, per most respondents. A large majority of directors are being briefed on cybersecurity risks at board meetings, particularly on challenges that did not even rank in the top 10 a mere six years ago. Almost all respondents reported that their organization’s strategy addressed both new and existing threats. But while most executives believe that their strategy is fully implemented across the organization, operators largely disagree with that statement.
On the other hand, the cybercrime market responds to “price signals” with innovation and with new products and services on offer every day. When old capabilities are burned, replacements come online quickly. This enables dynamic competition and rapid innovation among the various parts of the cybercrime market, with clear incentives and reputational awards.