Cause Evaluation: Cybersecurity

05 Sep 2021

I’m interested in doing a decently hard pivot with my life into the internet privacy (and security) space. Here, I explore, at a very high-level, the scope of the problems in these fields, in order to get a sense of an order-of-magnitude of the problems involved.

In this post, I am looking into: What scale of social impact would improvements to policies surrounding internet cybersecurity make? I will focus on security because the effects of security are more quantifiable and tangible; and I will save a more in-depth analysis of privacy for a later date.

Fast facts + context

• The social cost per leaked PII record is around 150-180$ (IBM data breach report)
• Looking into just the Fintech market (from the IBM data breach report):
  • We can low-ball that there are 5,000 Financial institutions in the US. (plaid)
  • Cyber attack stats:
  • Frequency of an attack: 2-4 times per year
  • Likelihood of successful attack: 5% - 15%
  • 500,000 to 1M- Estimated number of sensitive records in a database
  • 75 - 100% PII/PCI - Estimated percentage that contain PII
• “4.24m is the average cost of a data breach”
• “high level of compliance failures [were] associated with breach costs $2.3 million higher than breach costs at organizations without this factor present.”
  • We can estimate that strong compliance can decrease costs by ~50%.
• Putting these numbers in context: Current spend on cybersecurity products:
  • For 2019, they forecast the market to grow to $124 billion, and $170.4 billion in 2022 (Gartner).
  • “By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts (to 2025) (cybersecurity ventures).
  • U.S. Government spending on cybersecurity: The 2019 U.S. President’s budget includes $15 billion for cybersecurity, a $583.4 million (4.1 percent) increase over 2018. The Department of Defense (DoD) was the largest contributor to the budget. The DoD reported $8.5 billion in cybersecurity funding in 2019, a $340 million (4.2 percent) increase over 2018.

Estimate of potential benefits from improved cybersecurity regulation and compliance

• Just for the financial sector:
  • The low-ball estimate of costs due to insufficient cybersecurity compliance and regulation:
    • 2 * 15% * 500k record * 75% * 180$/record = 6.75 M per org
  • Social Cost for Fin-tech : low-ball 30 Billion/yr (a mid-level estimate is 500 Billion).
    • 50% reduction would mean ~30/2 to ~500/2 Billion $ /yr.
    • Even a 10% effect would range from 1.5 Billion to 25 Billion/yr.
• Additionally there are 16 other industries (Public sector, Media..). Potentially multiplying the effect by 17x, to range from 25 to 425 billion per year.
• And on top of this, security and privacy have trickle down effects like improved democratic processes (e.g. weaker monopolies and stronger elections).

Evidence that cybersecurity is still relatively neglected

• Market based argument: cybersecurity has a 0% unemployment rate (link)
• Software positions for security experts routinely go unfilled.
• Events like the Equifax hack (2017) and SolarWinds are occurring regularly (2020 hacks)
• Cybersecurity market is forecast to be around $170.4 billion in 2022, which is less than the estimate of social benefit of just improving compliance.
• Right now we have a dearth of technical people in policy making. (Bridging the Gap).

How effective could policy changes be?

• Congress is relatively immobile, and the US court system is extremely precedent-based. Any effect on laws + legal cases that occur now will have a strong effect in future laws.
• There is strong momentum now, and we have a lot of laws and court cases coming up (36 states, D.C. sue Google; Executive Order on Improving the Nation’s Cybersecurity; CCPA; Virginia passes comprehensive privacy bill)

What can people and organizations do?

• Some top advice right now is simply to “bridge the gap” to develop more intelligent policies. Philanthropy organizations like OpenPhil can fund getting tech people + policy people talking with one another.
• Organizations like OpenPhil can put more resources in programs like its new tech policy fellows program.
  • See my post on Better Hedges (in Public Interest-Technology)
• Organizations like OpenPhil can give grants to individuals and other organizations to produce more good standards for security + privacy.
• Organizations like 80,000 hours can support getting tech people working in government, at places like CISA.
• I also think that there is room for the creation of an entirely new organization to get tech people to directly consult for policy people.
• CISA, 18F, the USDS, and CSET have been relatively new organizations that have had a really strong, positive impact on the government. New organizations that are similarly organized are one potential direction (though, this is more of a thought exercise than anything else). As a rough cost estimate:
  • We can estimate that the average tech employee salary is 200k$ in the US. With 10 employees allocated for each of 50 states, and 50 federal level employees. 550 employees * 200k$ = ~110 million dollars.
  • And this is a dramatically larger number than is really needed (180 employees work at the USDS, which has quickly garnered respect in the tech industry and had a positive impact on the US government).
  • I’d guess that a moderate systemic change can be created with only 2 employees per state and 10 at the federal level (~22 million dollars per year).

Related Articles

• Ransomware Statistics