A Bloke in a Pub

Tall Tales and Long Tails

Keeping the Business Fed

Mark Neocleous, in his book “Critique of Security” (brilliant book, by the way), points out a couple of things relating directly to the business of cyber. Chief amongst them is the idea that once you’ve set up an industry to sell people the concept of security, the last thing you should do is actually deliver any. Instead, what you want is an endless stream of insecurities to drive future demand. Ensuring the continuing consumption of goods becomes the objective, rather than the provision of protection. As Neocleous puts it, you need to generate “a state of permanent emergency”.

Typical tactics used here are conflation (the use of phrases such as “cyber Hiroshima” and “cyber 9/11”), counterfactuals (“imagine what could have happened”) and projection (usually onto some shadowy agency with almost superhuman skills). Lawson summarises the people doing this as “worst case entrepreneurs”, for whom “scenarios substitute for facts”. Others have made the same point, such as Quigley, who found that “most cybersecurity specialists in the popular domain use management guru techniques and manipulate common cognitive limitations in order to over-dramatize and over-simplify cybersecurity risks”. There’s a great book that you might want to check out, regarding the use of these techniques by management consultancies such as McKinsey and Co. The outcome being that in most cases, customer organisations are stripped of inherent skills (“hollowed out”), and their management is infantilised to the extent that they require an ever increasing level of external support.

A RUSI report (“OMG Cyber!”) looked at the problems that come with this level of threat inflation: it leads to confusion over what security is intended to encompass; it makes it difficult to assess whether or not an investment in cyber will return a result; and thirdly, it inevitably clouds planning objectives.

While it might seem to be all doom, it’s certainly not all gloom. According to Government statistics, the UK cyber industry was worth £10Bn in 2021/22. It contributed £5.3Bn to the UK economy (up 30% from the year before) and attracted £1Bn in inward investment.

So while hype might not be great for the customer, it’s absolutely brilliant for the industry.

And without wishing to put on my tinfoil hat, Government objectives have now become aligned with industry objectives, so there’s absolutely no need to rock the boat. Unless of course, you want to see some outcomes. Because year after year, the DCMS security breaches survey fails to show any link between spending on cyber and the frequency and severity of security incidents.

Some Numbers

Based on mandatory filings relating to crypto transactions, the US Treasury Department reported that in 2021, an estimated total of US$1.2Bn was paid out through US banks, in order to meet ransomware demands. Is that a lot? I guess it is. Ransomware is, after all, widely touted as a major threat to economic security.

The “tax gap” is the difference between the tax that should be paid, and the tax that actually is paid, at least on time. The latest reports for the US indicate that the gap for 2016 was around US$0.5Tn. On these figures, the financial impact of ransomware comes to about one quarter of one per cent of the annual tax gap. And yet somehow, the US economy staggers on.

The UK is apparently, the only country to issue annual figures on their tax gap. The latest figures place it at about £36Bn (US$45Bn on current rates of exchange), about 40 times the figure for ransomware payments in the US.

The Ransomware Task Force report, assuming I’m reading it correctly, indicates that in 2021, the UK suffered 29 confirmed organisational ransomware attacks, and that the average payment was around US$312k. Assuming those figures to be accurate, and again given current exchange rates, that comes out to a financial impact to the UK economy of about £20k per day.

Servicing the national debt, on current figures, costs the UK about £0.3Bn. Per day.

Benefits fraud in the UK, on the latest figures I can find, comes to about £6.5Bn, if you ignore accidental overpayments. That’s about £18M per day. I’ll save you the effort on that. It’s about a thousand times greater than the figure for ransomware payments. Retail theft in 2023 (basically, shoplifting) cost the UK economy an estimated £1.8Bn, or about £5M per day. Twice the cost of ransomware payments across the United States.

You might think that those numbers, in relation to the money spent on cyber in the UK alone, compared to the size of the problem, would be pretty alarming. However, as you might have expected by this point, it gets worse.

And to pre-empt the question, I’ll be looking specifically at the non-financial impacts in a future article.

Long Tails

The 2023 Verizon Data Breach Investigation report (p30, Figure 33), quoting an FBI report (itself based on reports submitted to the Internet Computer Crime Centre), puts up some scary figures, showing million dollar losses from ransomware attacks, with only a smattering of incidents costing less than hundreds of dollars.

At least, they look scary until you read the footnote that says that the graph represents just 7% of the reported incidents. The remaining 93% were removed because they involved no financial impact. So… if you scale down the dots in the diagram, and add back in the missing 93% at or around zero impact, you get a slightly different distribution.

It should look something like the graph below (this one has been derived from a US Industrial Control System Cyber Emergency Response Team report):

There’s a huge spike of pretty much nothing, with a very small number of more serious incidents, a long way out to the right.

I’m being a bit selective with my quotes here, but the idea that most incidents don’t have any financial impact also appears in a Banca D’Italia report (“More than 90 per cent of firms report having sustained a direct cost below €10,000; only about one per cent reported damages in excess of €50,000, with 0.1 per cent above €200,000“), a German study of 5000 companies (“The lower median values indicate that a large proportion of organizations suffer low costs, whereas few organizations suffer large costs“), a study by Romanosky (“… most cyber events cost firms less than 0.4% of their revenue… far less than other losses due to fraud, theft, corruption, or bad debt“), and various studies looking at the impact of a breach announcement on share price (e.g. “[m]ost of the difference between companies disclosing breaches and matched companies is driven by the rare catastrophic incidents“).

In this kind of ‘long tailed’ distribution, the mean gets separated from the median. The mean is the average (you add up all the numbers and then divide by the number of numbers). The median is the halfway point – half the incidents should be below the median impact, half above.

With a nice well-behaved distribution, the mean and the median coincide. The outliers in a long-tailed distribution however, even though they may be few and far between, carry such a disproportionate potential impact, that they distort the mean, which gets dragged up towards the ‘bad news’ end of the spectrum. The median on the other hand, is much less affected by outliers. There’s an argument that under those conditions, it’s probably better to take the median as being representative of the distribution, rather than the mean. However, most security sources, as you may have noticed, quote the mean rather than the median, and from their point of view, they do that for a very good reason.

The DCMS security breaches survey usually presents a table in Section 5 or thereabouts, regarding the impact of reported breaches. I’ve looked through the last five years or so of reports, and there’s a pretty clear pattern. The mean is always larger than the median, indicating that the distribution is probably long-tailed. Oh, and in passing, the median impact is, to all intents and purposes, zero. The only way you get it off the zero line is to repeatedly select for outliers. The 2023 report for instance, looks at the impact of cybercrime, finding that only about 11% of survey respondents had incidents coming under the report’s definition of cybercrime. That doesn’t look like cyber-Armageddon. And indeed, most of the reports for the companies that were affected, were to do with phishing attacks, with zero impact. So… the next stage of the analysis dropped the phishing reports i.e. the definition of cybercrime was adjusted half-way through the analysis. Any psychologists reading this might feasibly see this as ‘HARKing’ (hypothesising after the results are known). Doing this gets you much scarier numbers, because basically, all you’re left with is outliers. But you’re also only dealing with 2% of your sample. That is, having thrown away responses that didn’t experience cybercrime, and then thrown away the phishing incidents, you’ve essentially discarded 98% of the available information. The next stage discards another 17 cases (described as a ‘small number’). Yes it is small I guess, but it’s 25% of the remaining responses, bringing your response count down to 40-odd businesses out of a sample of around 2300.

And yet cyber-doom is a very convincing argument. At £10Bn pa in the UK alone, it must be. That’s because cyber is presented as what Paul Slovic calls a ‘dread risk’ – unknown, not controllable, and potentially catastrophic. And we’re programmed to take notice of dread risks. It’s in our nature. To quote Lawson, “we have a tendency to let our metaphors do the thinking for us”. And the cyber-doom business knows just how to exploit those inbuilt instincts for the maximum effect. It’s a perfect example of what Shiller calls “narrative economics” – in this case, developing and promoting a narrative in order to achieve a specific economic outcome.

It’s not so much that there aren’t severe incidents. There are, and we need to guard against them. But when everything is described as a potential cyber-Armageddon, how can we tell where the money should be spent? Then again, maybe that’s the point.

Basis

These are the numbers I took from the ICS-CERT report, in case you want to check them. I ordered the incidents types logically (I hope), and then assigned an increasing severity index to each one.

Data source: National Cybersecurity and Communications Integration Center

Sources

  1. Neocleous, M. (2008). Critique of security. Edinburgh University Press
  2. Lawson, S. T. (2019). Cybersecurity discourse in the United States: Cyber-doom rhetoric and beyond. Routledge.
  3. Quigley, K., Burns, C., & Stallard, K. (2015). ‘Cyber Gurus’: A rhetorical analysis of the language of cybersecurity specialists and the implications for security policy and critical infrastructure protection. Government Information Quarterly, 32(2), 108-117.
  4. Bogdanich, W., & Forsythe, M. (2022). When McKinsey comes to town: The hidden influence of the world’s most powerful consulting firm. Anchor.
  5. Lee, R. M., & Rid, T. (2014). OMG Cyber! Thirteen Reasons Why Hype Makes for Bad Policy. The RUSI Journal, 159(5), 4-12.
  6. FinCEN Analysis Reveals Ransomware Reporting in BSA Filings Increased Significantly During the Second Half of 2021. 2022. Available from: https://www.fincen.gov/news/news-releases/fincen-analysis-reveals-ransomware-reporting-bsa-filings-increased-significantly
  7. Combating Ransomware: A Comprehensive Framework for Action. 2021. Available from: https://securityandtechnology.org/ransomwaretaskforce
  8. Verizon 2023 Data Breach Investigations Report. Available from: https://www.verizon.com/business/en-gb/resources/reports/dbir
  9. Biancotti, C., The price of cyber (in) security: evidence from the italian private sector. Bank of Italy occasional paper, 2017(407). Available from: https://www.bancaditalia.it/pubblicazioni/qef/2017-0407/index.html?com.dotmarketing.htmlpage.language=1
  10. von Skarczinski, B. S., Dreißigacker, A., & Teuteberg, F. (2022). Toward enhancing the information base on costs of cyber incidents: implications from literature and a large-scale survey conducted in Germany. Organizational Cybersecurity Journal: Practice, Process and People, 2(2), 79-112.
  11. Romanosky, S., Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2016. 2(2): p. 121-135
  12. Richardson, V., M.W. Watson, and R.E. Smith, Much Ado about Nothing: The (Lack of) Economic Impact of Data Privacy Breaches. Journal of Information Systems, 2019.
  13. Edwards, B., Hofmeyr, S., & Forrest, S. (2016). Hype and heavy tails: A closer look at data breaches. Journal of Cybersecurity, 2(1), 3-14.
  14. DSIT Cyber Security Breaches Survey 2023. Available from: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023
  15. Slovic, P., Perception of risk. Science, 1987. 236(4799): p. 280-285
  16. Shiller, R. J. (2020). Narrative economics: How stories go viral and drive major economic events. Princeton University Press.

First published 30th April 2024

Separated from case study 27th May 2024

Edited 1st July 2024