Misaligned incentives and executive overconfidence aids criminals
Misaligned incentives and executive overconfidence aids criminals

A new survey by Intel Security of 800 cyber-security professionals from five industry sectors, outlines how cyber-criminals have the advantage, thanks to the incentives for cyber-crime creating a big business in a fluid and dynamic marketplace.

Defenders on the other hand, often operate in bureaucratic hierarchies, making them hard-pressed to keep up.

Conducted in partnership with the Centre for Strategic and International Studies (CSIS), the report titled “Tilting the Playing Field: How Misaligned Incentives Work Against cyber-security,” revealed three categories of misaligned incentives: corporate structures versus the free flow of criminal enterprises; strategy versus implementation; and senior executives versus those in implementation roles.

The report highlights ways organisations can learn from cyber-criminals to correct these misalignments.

Additional misalignments occur within defenders' organisations. For instance, while more than 90 percent of organisations report having a cyber-security strategy, less than half have fully implemented them. What's more, 83 percent said their organisations have been affected by cyber-security breaches, indicating a disconnect between strategy and implementation.

And while cyber-criminals have a direct incentive for their work, the survey not only shows that are there few incentives for cyber-security professionals, but that executives were much more confident than operational staff about the effectiveness of the existing incentives. For example, 42 percent of cyber-security implementers reported that no incentives exist, compared to only 18 percent of decision makers and eight percent of leaders.

“The cyber-criminal market is primed for success by its very structure, which rapidly rewards innovation and promotes sharing of the best tools,” said Candace Worley, vice president of enterprise solutions for Intel Security. “For IT and cyber-professionals in government and business to compete with attackers, they need to be as nimble and agile as the criminals they seek to apprehend, and provide incentives that IT staff value.”

“It's easy to come up with a strategy, but execution is tough,” says Denise Zheng, director and senior fellow, technology policy programme at CSIS. “How governments and companies address their misaligned incentives will dictate the effectiveness of their cyber-security programmes. It's not a matter of ‘what' needs to be done, but rather determining ‘why' it's not getting done, and ‘how' to do it better.”

Other key findings of the report include:

Non-executives are three times more likely than executives to view shortfalls in funding and staffing as causing problems for the implementation of their cyber-security strategy

Even though incentives for cyber-security professionals are lacking, 65 percent are personally motivated to strengthen their organisations cyber-security

Ninety-five percent of organisations have experienced effects of cyber-security breaches, including disruption of operations, loss of IP, harm to reputation and company brand, among other effects. But only 32 percent report experiencing revenue or profit loss, which could lead to a false sense of security.

The government sector was the least likely to report having a fully-implemented cyber-security strategy (38 percent). This sector also had a higher share of agencies with inadequate funding (58 percent) and staff (63 percent) than the private sector (33 percent and 43 percent).

The report also suggests ways that the defender community can learn from the attacker communities. These include:

  • Opting for security-as-a-service to counter the cyber-crime-as-a-service model of the criminal market.
  • Using public disclosure.
  • Increasing transparency.
  • Lowering barriers to entry for the cyber- talent pool.
  • Aligning performance incentives from senior leadership down to operators.

The good news, according to the report's authors, is that most companies recognise the seriousness of the cyber-security problem and are willing to address it. Organisations need more than tools to combat cyber-attackers; experimentation is necessary to determine the right mix of metrics and incentives for each organisation as they approach cyber-security through more than just a cost-conscious framework and become more innovative in their organisational structure and processes.