Economics of Defense Against Cyber Threats

RAND delivers a model for analyzing the economic drivers and challenges of cyber defense.

Last year, Juniper sponsored research by the RAND Corporation that explored uncharted territory: the economics of the cyber black market. In phase two of that research, RAND has broken new ground again, combining insightful research with a heuristic model that helps companies map the economic drivers and challenges of defense, moving beyond an IT or operations perspective, into a holistic business risk point of view. The findings serve as an emerging framework for C-level executives and promote a more calculated approach to the risks related to cyber defense.

In the continuously evolving threat landscape, companies face a maze of choices as they design their security strategies. RAND’s heuristic model explores the decisions and tradeoffs that a CISO can make, and details the possible long-term cost implications of those decisions for the business. With the findings from RAND’s model, CISOs can understand how different drivers, such as software vulnerabilities, technology tool half-lives, and the Internet of Things will impact a company’s security strategy and investments. The model also provides actionable insights that companies should consider as they evaluate security spending and posture.

By mapping the major factors and decisions that influence cyber-risk costs to businesses, RAND’s model enables a more holistic economic view of how those expenses will change. The model suggests that the price of managing cybersecurity risk is set to increase 38 percent over the next 10 years, across all businesses.

Foremost among the study’s findings is the idea of bifurcating security technology spend into two categories: those that have short-term tactical impact, and those that have long-term, strategic impact.

The new RAND report, titled “The Defender’s Dilemma: Charting a Course Toward Cybersecurity,” is based on in-depth CISO interviews and an extensive review of the current and emerging threat landscape. Phase two research builds on the first report, “Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar” (2014), of the two-part Juniper-sponsored series from RAND. The 2014 report examined economic drivers for attackers and the sophisticated underground black market that’s been created to scale their efforts.

Get the 360 on RAND’s Findings

Related to our recent work with RAND, you can connect to a variety of online resources.