According to a fellow at Columbia University, companies are not investing significantly more in information security partly because of the influence of moral hazards, or the act of one entity taking risks because others bear the burden of those actions.
, a staff associate and fellow in cyber-security and internet governance at the Columbia School of International and Public Affairs, recently published in an article in Quartz
in which he explains how the low financial fallout from breaches, as well as growing (albeit misdirected) government intervention, help to explain why most companies have little financial incentive to invest in information security.
In his analysis of the financial impact of a data breach, Dean notes how the costs of both the Sony and Target breaches amounted to significantly less than initial estimates due to insurance reimbursement and tax deductions.
For example, analysts predicted that Sony Pictures would likely incur losses of more than $100 million
, but the company reported last month that the costs would only amount to $35 million
Similarly, Target stated last month
that the gross expenses from the 2013 breach against its systems totaled $252 million. But when one accounts for insurance reimbursement and tax deductions, the losses only amounted to $105 million.
“These numbers suggest that we have a market failure relating to asymmetric information, which results in the problem of ‘moral hazard’ for private companies in the area of information security,” observes Dean.
He goes on to explain that financial organizations incur most of the costs associated with data breaches, such as by paying for customers’ replacement credit cards. This coverage, as Dean reasons, only further weakens companies’ insurance reimbursement and tax deductions in the event of a security incident.
In the meantime, most governments are creating a number of new initiatives designed to improve information sharing between the public and private sectors with regards to information security, including Obama’s new Cyber Threat Intelligence Center
, but these do not encourage investments towards securing customers’ information.
Dean explains: “More costly than the problems they supposedly address, if anything, they create a disincentive for companies to make this needed investment by promising blanket protection from cyber-attacks.”
Together, companies’ low financial responsibility following a breach, not to mention the disproportionate burden placed on banks and the federal government, paint an unpromising picture of the future.
“If we don’t identify and address these contradictions, we run the risk of creating something much worse than the current information security problem,” Dean notes.
“The latest slew of government proposals raise more questions than answers regarding information security – and they are very concerning questions indeed.”
To read Benjamin Dean’s article in full, please click here