A Bloke in a Pub

Shared Values

Basics

First off, a couple of facts:

Sixty percent (60%) of small businesses go bust within 6 months of having a breach. Er… false. The originator of this alleged statistic (the National Cyber Security Alliance) put out that claim as part of an infographic, about fifteen years ago, then took it down when they realised it wasn’t an outcome from their own research, nor could they find any evidence to support it. However, inevitably, it’s still being quoted, despite the NCSA publicly disowning it. Latest ones I’ve seen are from the BBC (who actually referred to the NCSA web site as the source), and from a UK University. Well, I say University. It’s Salford, but close enough. The most egregious example being a Cyber Resilience Centre (i.e. an organisation funded to provide SME’s with reliable advice on cyber), claiming that “60% of small businesses…”, you know the rest. Appalling.

KNP Logistics was driven out of business by a ransomware attack. Well, if it was, did the same ransomware attack kill off the other 460 or so UK based hauliers that went bust in the same year? Unlikely. What drove all of these companies out of business was a combination of rising inflation and high interest rates – what the industry body described at the time as ‘a perfect storm’. Fixed cost base inflation against a background of declining demand. To pick one company out of nearly five hundred as an example of the existential threat from ransomware is absurd. See the details here.

Travelex went bust because of a ransomware attack. Well, first off, they didn’t go bust. They’re still trading, and doing very nicely thank you, last time I looked. The problems experienced by their now-defunct parent company stemmed from frankly astonishing levels of debt that hadn’t been disclosed to the markets (about $1Bn in the case of the parent company, and about $4Bn in the case of their sister company), plus good old financial shenanigans. Take one or two steps outside the cyber bubble. Look at the summaries from e.g. Reuters, Bloomberg, or the FT. Or look at the summary from the Financial Conduct Authority, who were about to fine these guys back into the Stone Age until they realised they’d gone into administration.

The ransomware attack on the Colonial Pipeline Company was a preview of cyber-Armageddon. Er, no. Happy to be corrected, but the worst impacts I could find centred on panic buying, leading to localised shortages and a few arguments on gas station forecourts. Plus a couple of flights were diverted, to be on the safe side. The pipeline, by the way, has an interesting background. It was responsible for the largest single gasoline pipeline spillage in US recorded history. Into a North Carolina nature reserve. Whoopsie. The leak before that was the largest single leak from a gasoline pipeline in the preceding twenty five years. When Colonial sent a team to fix it, they caused an explosion and a fireball that killed one person and injured five others. It’s been closed anything up to five or six times a year over the past twenty years, due to integrity issues, bad weather, leaks, system failures etc.. A report into just one of these incidents stated that the continued operation of the pipeline under the then-current regime constituted an ongoing threat to public safety and to the environment. Now… which one of these sets of circumstances prompted the US government to introduce emergency legislation regarding pipeline safety? No prizes, I’m afraid. Although it does bring us to the point.

Credit: Freepik

Spot the Difference

Regular readers will have seen the dissection of the business case (see here) for implementing the EU’s Network and Information Security Directive (NIS) in the UK. No identifiable benefits, but nevertheless £400M of expenditure required over a ten year timeframe. Because there were no identifiable benefits, the investment case instead leaned on a scenario taken from a report sponsored by a cyber services provider, regarding an attack on the UK electricity grid. Depending on which criteria you take, this imaginary scenario was about fifty times worse than the worst recorded actual event of its type. I must stress at this point that the scenario was constructed. A work of fiction.

The investment case concluded that if just one of these fictional ultra-worst case events could be completely prevented by the measures being implemented (unlikely, given the conditions for the scenario, but we’ll let that go), then the investment would be worthwhile. Fair enough. That seems to be a reasonable basis for spending four hundred million quid.

Two years later, the first Post Implementation Review commented that not only was it difficult to identify any benefits, it’s difficult to see how they could be identified, meaning that it’s not really possible to build a business case for the investment. Oh well. Better late than never I guess. The PIR then pointed to the same imaginary scenario, and concluded that there was a clear case for continued investment. Right.

Two years after that, the second PIR did exactly the same thing. Except they had at least updated the likely costs of implementation. To about £850M. That’s correct. About a billion quid, taken from largely profitable companies and invested into the cyber industry, on the basis of a fiction.

The second PIR also noted that there had been a reduction in reported incidents. Great. From thirteen incidents, down to twelve. Although apparently these weren’t necessarily cyber incidents. And inevitably the electricity grid scenario was quoted as an indication of how much money might be saved, if we just keep spending money.

Not to be outdone, the proposal for forthcoming legislation in the UK that would make ransomware payments illegal, quotes exactly the same scenario. Although the proposal also points out that the scenario had nothing to do with ransomware i.e. this fictional event has absolutely no relevance to the subject of the legislation, but we’ll quote it anyway, as supporting “evidence”. Travelex and KPN Logistics were also cited as events that could have been avoided through better security, although since neither of them were caused by cyber, I’m not sure I follow the logic. Maybe that’s just me.

Interestingly… the current (as of 2025) proposal for legislation in the UK regarding cyber resilience, quotes exactly the same scenario. In case you haven’t been counting, that’s now three pieces of UK cyber legislation justified on the basis of an imaginary event.

For good measure, the Government press release for the proposed legislation claimed that cybercrime costs the UK about £22Bn per year, a figure seemingly unsupported by any referenced sources or research. Probably no coincidence that the claim was removed from subsequent documentation, presumably because it was found to be unsupported. However, all too late. The AI summary of a Google search quotes that same figure of £22Bn, and it’s all over the cyber providers’ web sites. It is now a “fact”. Expect it to be quoted on a Cyber Resilience Centre near you, any day now.

A One-Way Conversation

There’s a strong argument that security comes about through negotiation i.e. that it’s socially constructed (see here). What we have at the minute is a very close correlation between the Government position and the cyber industry position, to the extent that Government documents are now quoting the same folklore as you might expect to see on a cyber provider’s web site, and are even going so far as to reference cyber provider reports as justification for legislation.

As it stands, the conversation on security is being dominated by just two parties. The role of the customer seems to be to foot the bill, with increasing drops in profits occasioned by each new piece of legislation. To quote Akerloff and Schiller (two Nobel Prize-winning economists), the customer is now buying what they have been conditioned to buy (see here).

I’ll quote Sean Lawson to finish off:

“None of the preceding discussion should be read as suggesting that we should not take cybersecurity seriously, that we should not take measures to secure your critical infrastructures, or that we should not prepare to mitigate the effects of a cyberattack on critical infrastructure should it occur. Rather, this book should be read as suggesting that taking cybersecurity seriously requires that we re-evaluate the assumptions upon which public debate and policymaking proceed, that we can only make effective policy if we begin with a realistic assessment of current and likely future threats. To do that, we must continue to challenge and ultimately move beyond the rhetoric of cyber-doom that has persisted in the U.S. cybersecurity debate for more than two decades.”

That is, we need to set cybersecurity on a firm basis of actual fact. Logic. Evidence. A good starting point perhaps, might be to expand out the debate on cyber to include the end customer.

Selected Sources

  1. https://www.staysafeonline.org/press/national-cyber-security-alliance-statement-regarding-incorrect-small-business-statistic
  2. https://www.bbc.co.uk/news/business-63260648
  3. https://www.ft.com/content/a22b75df-f37f-4e4f-a024-3dc1c1df82ee
  4. https://www.ft.com/content/91317ad0-40aa-4dd7-91ca-3e1c17853a87
  5. https://www.fca.org.uk/news/press-releases/fca-censures-nmc-health-plc-administration-market-abuse
  6. https://www.eenews.net/articles/n-c-pipeline-caused-largest-u-s-gasoline-spill-records-say
  7. https://response.epa.gov/site/site_profile.aspx?site_id=11897
  8. https://www.cnbc.com/2021/05/09/colonial-pipeline-cyberattack-heres-when-it-was-previously-shut-down.html
  9. https://www.gov.uk/government/publications/nis-regulations-impact-assessment
  10. https://www.jbs.cam.ac.uk/wp-content/uploads/2020/08/crs-integrated-infrastructure-cyber-resiliency-in-society.pdf
  11. Post-Implementation Review of the Network and Information Systems Regulations 2018.
  12. https://www.gov.uk/government/publications/second-post-implementation-review-of-the-network-and-information-systems-regulations-2018
  13. https://www.gov.uk/government/consultations/ransomware-proposals-to-increase-incident-reporting-and-reduce-payments-to-criminals
  14. https://dsit-newsroom.prgloo.com/news/new-cyber-laws-to-safeguard-uk-economy-and-secure-long-term-growth
  15. Lawson, S. T. (2019). Cybersecurity discourse in the United States: Cyber-doom rhetoric and beyond. Routledge.
  16. Chen, C., C.B. Frey, and G. Presidente, Privacy Regulation and Firm Performance: Estimating the GDPR Effect Globally

First published 25th June 2025