November 4, 2019 By Douglas Bonderud 4 min read

Cybersecurity risk management is not a purely technical or theoretical endeavor. Information security investments now inform security supply with the aim of reducing data breaches and boosting public perception. However, the demand for greater spending doesn’t necessarily equate to improved defenses.

The disconnect between increased resource allocation and actual readiness stems from the idea that cybersecurity issues play out logically and can be resolved with the usual fixes. In practice, however, both cybersecurity outcomes and anticipated criminal behaviors may not align with rational expectations. Fortunately, there’s an unexpected source of insights about how to reduce cyber risk, manage security supply and guard digital systems: economic theory. Here are three concepts from economic theory you can apply for effective infosec.

Behavioral Economics: Assumed Strength Is Often Critical Weakness

Any cyber risk reduction strategy starts with looking inward and identifying the best practices and IT solutions you already have in place to mitigate potential attacks both actively and passively. Overconfidence can create problems here. As Channel Futures noted, this is a growing issue for IT departments dealing with an increasingly complex landscape of both internal and cloud-based security controls. In fact, recent data from Hiscox suggested that 73 percent of companies aren’t prepared to handle cyberattacks, despite the vast array of infosec tools now available.

The theory of behavioral economics offers an explanation: Despite best intentions, both individuals and organizations don’t always act in their own rational self-interest. For cybersecurity initiatives, two key concepts inform this issue:

  • Planning fallacyAs Behavioral Economics observed, humans are naturally susceptible to the planning fallacy. We underestimate how long tasks will take and often ignore past experience. This is often seen in cybersecurity: “Surely, new infosec deployments won’t cause networkwide conflicts,” or “data breaches in similar industries or markets were probably just anomalies.”
  • The illusion of controlInformed by a seminal 1975 study, the illusion of control is “an expectancy of a personal success probability inappropriately higher than the objective probability would warrant.” This is a common mistake in cybersecurity risk management — having up-to-date security controls is often conflated with reduced risk, but this may not align with reality. As Security Magazine noted, 80 percent of U.S. businesses expected a “critical breach” this year.

Effectively applying behavioral economic theory to IT security means recognizing that assumed strength is often critical weakness. Aspects of your network or mobile device defenses that appear unassailable may be markers of the planning fallacy or the illusion of control. Consistent, calculated vulnerability analyses conducted by third-party providers who aren’t subject to the same potential biases as internal teams can help in these situations.

Asymmetric Information: Recognize That You’re at a Disadvantage

Many ideal economic models assume perfect information symmetry — both parties know the same things at the same time. In cybersecurity, as in the real world, this isn’t the case. Attackers often have much more in-depth data about potential targets than defenders have about threat vectors. This illustrates the economic concept of “information asymmetry.”

Consider the growing use of darknet resources and malware-as-a-service (MaaS) deployments. Attackers are now willing to share data about potential targets, which gives them a critical advantage when it comes to compromising corporate security. From company email lists to social media data from key personnel to information about the open-source technologies used in building mission-critical applications, attackers have the upper hand when it comes to information gathering. As a result, defensive postures become reactionary as organizations respond to potential threats instead of actively safeguarding weak points.

The first step is recognizing that you’re at a disadvantage. Even with strong defenses, threat actors have stolen a march on data gathering and strategy development. Next, implement corrective actions to reduce information asymmetry. This includes the deployment of threat hunting tools and advanced information-gathering practices to level the playing field and reduce the risk of unexpected attacks.

Game Theory: Reality Is Almost Always Different From Your Expectations

Game theory suggests that in non-cooperative games, where participants make nonbinding agreements to achieve end goals, each party bases their decisions on how they expect other parties to act without knowing how they will actually behave. Ransomware is a good example of game theory in practice. Companies often assume that attackers will release encrypted data once they’ve been paid because their demands have been met.

But since the objective of any non-cooperative game is maximizing individual participant outcomes rather than benefiting the whole, attackers don’t always live up to their end of the bargain. In fact, Forbes reported that just 19 percent of victims get their data back after paying a ransom, while 86 percent are able to recover their information from backups if they refuse to pay.

Phishing is another exemplar for game theory. Employees often assume they know what phishing attacks look like and what attackers are after. In many cases, however, sophisticated attacks aren’t using error-ridden emails to compromise credentials directly. Instead, they’re creating well-crafted messages that are seemingly innocuous, leading staff to believe they’re playing one game when attackers have switched out the board and raised the stakes. The impact is evident in reported phishing statistics. As Hashed Out noted, nearly one-third of all breaches in 2018 involved phishing, and one in every 25 branded emails is a phish in disguise.

Accounting for non-cooperative play in cybersecurity risk management means helping staff recognize the divide between expectation and reality in attack behavior. This includes red-team exercises to test potential reactions in a secure environment as well as regular employee training that emphasizes the need for staff to speak up if they see something amiss.

Combat Infosec Instability by Reducing Cyber Risk

Effective cybersecurity strategies help reduce the economic impact of data breaches. The 2019 Cost of a Data Breach Report pointed out how robust incident response plans can save companies more than $300,000 per incident.

But infosec security can be threatened by a trifecta of unhelpful factors: unintentionally irrational behavior, asymmetric information and an assumption of actor outcomes. These pitfalls tend to drive up cybersecurity costs. Fortunately, in-depth network analysis, actionable threat information and ongoing education informed by principles from economic theory can provide a framework for how to reduce cyber risk.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today