New Global Cybersecurity Report Reveals Misaligned Incentives, Executive Overconfidence Creates Advantages for Attacker

NEWS HIGHLIGHTS 

New report from Intel Security, CSIS, finds three key areas of misaligned incentives that advantage cybercriminals: 


 - Between fluid attackers and bureaucratic defenders


 - Between organisational strategy and real-world/actual implementation 

 - Between executives and implementers who measure success differently 


Attackers thrive in a fluid, decentralised market, while bureaucracy and top-down decision making constrains defenders 

92 percent of Australian organisations surveyed have a cybersecurity strategy, but only 42 percent have fully implemented these strategies (93 percent and 49 percent globally) 

Nearly 60 percent of IT executives believe their cybersecurity strategy is fully implemented, while just over 30 percent of IT staff agree. 

56 percent of Australian cybersecurity professionals say their role lacks incentives while 60 percent believe their organisation is more concerned about its reputation than cybersecurity itself 
Senior executives designing cyber strategies measure success differently than the implementers who put these strategies into practice, limiting their effectiveness. 


SYDNEY, Australia, March 2, 2017 – Intel Security, in partnership with the Center for Strategic and International Studies (CSIS), today released “Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity,” a global report and survey revealing three categories of misaligned incentives: corporate structures versus the free flow of criminal enterprises; strategy versus implementation; and senior executives versus those in implementation roles. The report highlights ways organisations can learn from cybercriminals to correct these misalignments.

Based on interviews and a global survey of 800 cybersecurity professionals from five industry sectors, the report outlines how cybercriminals have the advantage, thanks to the incentives for cybercrime creating a big business in a fluid and dynamic marketplace. Defenders on the other hand, often operate in bureaucratic hierarchies, making them hard-pressed to keep up. 


Additional misalignments occur within Australian defenders’ organisations. For instance, while more than 90 percent of organisations report having a cybersecurity strategy, less than half (42%) have fully implemented them. What’s more, 78 percent of Australian cybersecurity professionals said their organisations have been affected by cybersecurity breaches (83 percent globally), indicating a disconnect between strategy and implementation.

And while cybercriminals have a direct incentive for their work, the survey not only shows that are there few incentives for Australian cybersecurity professionals (56 percent say their role lacks incentives), but that executives were much more confident than operational staff about the effectiveness of the existing incentives. For example, 60 percent of executives surveyed believe financial incentives are in place compared to only 36 percent of employees. A further 60 percent of Australian employees believe that their organisation is more concerned about its reputation than cybersecurity itself.

“Cybercriminals have a clear financial incentive for their work and are rewarded for innovation and the sharing of information and workings,” said Daryush Ashjari, Intel Security APAC Vice President. “The price of cybercrime is reason enough to learn from the way cybercriminals work and introduce direct incentives for employees as well as increased transparency within businesses. In turn, this will help to increase responsiveness to cyber attacks and ensure that businesses are as nimble and agile as the criminals they seek to apprehend.”

“It’s easy to come up with a strategy, but execution is tough,” says Denise Zheng, director and senior fellow, technology policy program at CSIS. “How governments and companies address their misaligned incentives will dictate the effectiveness of their cybersecurity programs. It’s not a matter of ‘what’ needs to be done, but rather determining ‘why’ it’s not getting done, and ‘how’ to do it better.”

Other key global findings of the report include the following:

 - Non-executives are three times more likely than executives to view shortfalls in funding and staffing as causing problems for the implementation of their cybersecurity strategy

 - Even though incentives for cybersecurity professionals are lacking, 65 percent are personally motivated to strengthen their organisations cybersecurity

 - Ninety-five percent of organisations have experienced effects of cybersecurity breaches, including disruption of operations, loss of IP, harm to reputation and company brand, among other effects. But only 32 percent report experiencing revenue or profit loss, which could lead to a false sense of security.

 - The government sector was the least likely to report having a fully-implemented cybersecurity strategy (38 percent). This sector also had a higher share of agencies with inadequate funding (58 percent) and staff (63 percent) than the private sector (33 percent and 43 percent).

The report also suggests ways that the defender community can learn from the attacker communities. These include:

 - Opting for security-as-a-service to counter the cybercrime-as-a-service model of the criminal market.

 - Using public disclosure.

 - Increasing transparency.

 - Lowering barriers to entry for the cyber talent pool.

 - Aligning performance incentives from senior leadership down to operators.

The good news, according to the report’s authors, is that most companies recognise the seriousness of the cybersecurity problem and are willing to address it. Organisations need more than tools to combat cyber attackers; experimentation is necessary to determine the right mix of metrics and incentives for each organisation as they approach cybersecurity through more than just a cost-conscious framework and become more innovative in their organisational structure and processes.

For more information about these findings and to view the full report, visit: www.mcafee.com/misaligned

Methodology

Intel commissioned independent technology market research specialist Vanson Bourne to undertake the research upon which this report is based. Intel surveyed more than 800 respondents from companies ranging in size from 500 employees to more than 5,000 across five major industry sectors, including Finance, Healthcare and the Public Sector. The survey targeted respondents with executive level responsibility for cybersecurity, as well as operators that have technical and implementation responsibilities for cybersecurity. Countries represented by respondents include the United States, United Kingdom, France, Germany, Brazil, Japan, Singapore, Australia, and Mexico.

About Intel Security

Intel Security, with its McAfee product line, is dedicated to making the digital world safer and more secure for everyone. Intel Security is a division of Intel Corporation. Learn more at www.intelsecurity.com.