A Bloke in a Pub

Response to the Response to Panorama

It’s been suggested that the media are to blame for mythologising cyber security. I don’t think so. The myths and distorted narrative start with an industry that presents the practice as something to be conducted solely by magicians – “It’s a dark art – most people won’t understand it”.

And it is indeed a dark art – unrelated to facts.

Some Numbers

In 2021, the Ransomware Task Force report said there had been 29 reported organisational ransomware incidents in the UK that year, and that the average ransomware payment had been about £250k. Not sure I believe the £250k, but ok. On that basis, the direct economic costs of ransomware amounted to about £20k per day. Excluding accidental overpayments, benefits fraud in the UK totalled some £6.5Bn in 2021, about 1000 times the figure for ransomware. Simple retail theft (i.e. nicking stuff from Waitrose) cost the UK about £1.8Bn in 2023. That’s about 250 times greater than the impact from ransomware. In the same year, the tax gap in the UK (the gap between tax that should have been paid, and tax that was actually paid, at least on time) came to about £36Bn, meaning that those pesky ransomware payments added up to around 0.02% of the economic loss arising from uncollected tax.

Multiple sources indicate that the distribution of financial impacts of cyber events is long tailed, with a median of around zero, and a mean distorted by a relatively small number of outliers. Impact on share price – same. Impact on individuals – same. See the ICO web site. The last two Verizon DBIR reports noted (quietly) that 93% of ransomware attacks (96% last year) led to no financial impact. Long tailed.

And yet we have claims that “ransomware presents the most immediate danger to the UK, UK businesses and most other organisations”, and claims from the US Government that ransomware is “a serious threat to our national and economic security”. The former Australian minister for cyber claimed that “this impact to our sovereignty and way of life is why ransomware threat actors are a core national security challenge for Australia”.

Don’t blame the poor old media. Security is socially constructed, and the two loudest voices in the room are telling everyone else that this is something that you need to spend money on, not something you can do yourself. The UK cyber industry was worth an estimated £10Bn in 2021, contributing £5.3Bn to the UK economy, and bringing in an estimated £1Bn of inward investment. It’s not exactly an act of sedition to suggest that the aims of the industry are now aligned with the aims of Government. Look at the terms of reference for the McPartland report. And to slightly misquote Mark Neocleous, once you’ve built an entire industry selling people the concept of security, the last thing you want to do is actually deliver any. What you need instead is a constant stream of disaster scenarios, to keep the money flowing in. What Neocleous describes as a “state of permanent emergency”.

Credit: Freepik

A Sense of Perspective

There’s a suggestion in the analysis that the situation could be changed if everyone was just a bit more sensible. As far back as 2020, Lawson suggested that we needed to maintain a sense of perspective, and that until we did so, cyber wouldn’t work. In 2017, a former DD of intelligence and cyber operations at GCHQ said that making cyber more complex than it needed to be was just worsening the situation. In the same year, the (then) Technical Director of NCSC suggested that the way cyber was presented at the time was not much more than “medieval witchcraft”. The problem, they said, was massively incentivised companies overstating the abilities of hackers in order to drive sales, and in so doing, to define the public perception of the problem. The answer being to stop relying on just those sources that make a living from cybersecurity.

And yet here we are, still in the same position. Largely because there’s no profit to be made in selling basic cyber hygiene, which report after report says could fix about 90-odd percent of the problem. Government is interested in the cyber industry, and the cyber industry is interested in profits. The VCs behind the cyber industry, ditto. It’s not about making cyber work. I’m afraid it is actually all about the Benjamins.

KNP Logistics by the way, had lost money (anything up to £3M per year) in the six years up to the year before they went under. When they did climb back into profit, they achieved a net margin of around 1%. They were running on significant amounts of loan capital, shelling out anything up to £0.5M a year in interest repayments. They had close to zero cash at hand to withstand economic shocks. And then… an economic shock happened. Interest rates went up from about 1% to about 5%. At the same time, demand fell off a cliff. The economic conditions in 2023 were described by the industry body as ‘a perfect storm’. Consequently about 500 UK-based hauliers went bust in that year, and for the same reasons – fixed cost base inflation against a background of declining demand. One of them had a ransomware incident on the way down. That’s it.

Ditto Travelex. Sources outside the cyber bubble e.g. Bloomberg, Reuters, the FT (or even the statements from the FCA), reported the issue as mixture of undisclosed debt and associated financial shenanigans. Such as running two sets of accounts and – allegedly, m’lud – raising false invoices to fraudulently obtain credit. Their sister company NMC Health was declaring $2.1Bn in debt – they then adjusted that to about $5Bn, having had a quick look behind the sofa. When things came badly unravelled, their actual debt turned out to be more like $6.5Bn – three times what they had been declaring in their audited accounts (EY, if anyone needed to be told). The parent company for Travelex, ditto. Declared debt, $200M. Actual debt when everything was brought out into the sunlight – about $1.2Bn. Those disclosures led the financial institutions to downgrade their credit ratings, leading to a liquidity crisis. The parent company and their sister company went under for exactly the same reasons. Nothing to do with ransomware. And as a coda, Travelex themselves didn’t go under. They’re actually doing ok.

More Numbers

And yet and yet… UK Government proposals for cyber legislation repeatedly cite Travelex and KNP Logistics as reasons why further action is needed. Which indicates either a misinterpretation of the facts, or a lack of critical thinking.

The business case for the implementation of the Network and Information Security Directive in the UK stated that the costs of implementation were likely to be around £400M over a ten year timeframe. Benefits? None identified. But the report did imply that if the measures in the Directive prevented just one typical incident, then it would be money well spent. That incident being a fictitious scenario set out in a report produced by a cyber security service provider. Two years later, the first Post-Implementation Review concluded that it was impossible to identify any benefits. So they referred back to the fictitious worst of the worst cases scenario. Although their report did note that the costs to industry seemed to have been significantly greater than the figures used in the original business case. Two years later, the second PIR noted the same, no way of seeing any benefits, referred back to the same scenario, and quoted figures in a report from another cyber security services provider. The second PIR also revisited the costs, which are now estimated to be around £900M over ten years, more than twice the original estimate. I say “cost”, but these aren’t really costs. It’s money taken from active, profitable companies and handed over to the cyber industry, in exchange for a demonstration of compliance rather than demonstrable effectiveness.

Pardon my tinfoil hat, but that looks an awful lot like regulatory capture to me.

The two bits of UK cyber legislation currently working their way through the system refer back to the same scenario. That’s three pieces of legislation justified on the basis of a fiction. Meanwhile, the externalities continue, in part because risk analysis techniques used by practitioners ignore externalities and focus on the impact to the organisation, and in part because of this relentless pressure on compliance with standards co-produced by the cyber industry themselves.

Conclusion

Akerlof and Shiller suggest that in a relatively free market, if opportunities are being efficiently exploited, then inevitably you see deception, because it confers an economic advantage. At the equilibrium, consumers then buy what they’ve been conditioned to buy (in this case compliance) rather than what might be best for them (effectiveness). That’s a very stable set of circumstances. It’s not likely that a call for common sense will change that situation.

I’ve probably used about ten times more text than I needed to. I just think it’s worth bearing in mind the possibility that the cyber industry and Government have other drivers. It’s not necessarily about media representation. To quote Malcolm Harkins (from all the way back in 2018), if you think the cyber industry exists to solve your problems, think again. It’s an industry. It exists to make a profit. The aim is not to sell you something that can solve your problems, the aim is to sell you something that you believe can solve your problems.

Selected Sources

  1. Da Silva, J. and R.B. Jensen, ‘Cyber security is a dark art’: The CISO as soothsayer. arXiv preprint arXiv:2202.12755, 2022
  2. Ransomware Task Force Report, 2021 (p15, p17)
  3. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023 (Section 4.5)
  4. Richardson, V., M.W. Watson, and R.E. Smith, Much Ado about Nothing: The (Lack of) Economic Impact of Data Privacy Breaches. Journal of Information Systems, 2019.
  5. Verizon 2023 Data Breach Investigations Report (p30)
  6. Neocleous, M. (2008). Critique of security. Edinburgh University Press.
  7. Lawson, S.T., Cybersecurity Discourse in the United States: Cyber-Doom Rhetoric and Beyond
  8. Microsoft Digital Defense Report 2023
  9. Kaminska, I. Introducing the rise of cyber mythology. 2017 Available from: https://www.ft.com/content/6470595a-a17f-3740-8c47-a44646174681
  10. BBC. “Security firms ‘overstate hackers’ abilities to boost sales”. Available from: https://www.bbc.co.uk/news/technology-38853502
  11. https://uk.finance.yahoo.com/news/record-level-british-haulage-businesses-174540639.html
  12. https://www.fca.org.uk/news/press-releases/fca-censures-nmc-health-plc-administration-market-abuse
  13. The Finance Story: EY in trouble for audit failure of NMC Health: Faces £2 Billion lawsuit. Available from: https://thefinancestory.com/ey-audit-failure-of-nmc-health-scandal
  14. NIS Regulations: Impact Assessment. 2018
  15. Post-Implementation Review of the Network and Information Systems Regulations 2018.
  16. https://www.gov.uk/government/publications/second-post-implementation-review-of-the-network-and-information-systems-regulations-2018
  17. Bygrave, L. A. (2025). The emergence of EU cybersecurity law: A tale of lemons, angst, turf, surf and grey boxes. Computer Law & Security Review, 56, 106071.
  18. https://www.gov.uk/government/consultations/ransomware-proposals-to-increase-incident-reporting-and-reduce-payments-to-criminals
  19. https://dsit-newsroom.prgloo.com/news/new-cyber-laws-to-safeguard-uk-economy-and-secure-long-term-growth
  20. Akerlof, G. A., & Shiller, R. J. (2015). Phishing for phools: The economics of manipulation and deception. Princeton University Press

First published 11th August 2025