Technically Private

Share this post

Cause Evaluation: Cybersecurity

technicallyprivate.substack.com

Cause Evaluation: Cybersecurity

Roy Rinberg
Sep 5, 2021
1
Share this post

Cause Evaluation: Cybersecurity

technicallyprivate.substack.com

I’m interested in doing a decently hard pivot with my life into the internet privacy (and security) space. Here, I explore, at a very high-level, the scope of the problems in these fields, in order to get a sense of an order-of-magnitude of the problems involved.

In this post, I am looking into: What scale of social impact would improvements to policies surrounding internet cybersecurity make? I will focus on security because the effects of security are more quantifiable and tangible; and I will save a more in-depth analysis of privacy for a later date.

Photo by FLY:D on Unsplash

Fast facts + context

  • The social cost per leaked PII record is around 150-180$ (IBM data breach report)

  • Looking into just the Fintech market (from the IBM data breach report):

    • We can low-ball that there are 5,000 Financial institutions in the US. (plaid)

    • Cyber attack stats:

    • Frequency of an attack: 2-4 times per year

    • Likelihood of successful attack: 5% - 15%

    • 500,000 to 1M- Estimated number of sensitive records in a database

    • 75 - 100% PII/PCI - Estimated percentage that contain PII

  • “4.24m is the average cost of a data breach”

  • “high level of compliance failures [were] associated with breach costs $2.3 million higher than breach costs at organizations without this factor present.”

    • We can estimate that strong compliance can decrease costs by ~50%.

  • Putting these numbers in context: Current spend on cybersecurity products:

    • For 2019, they forecast the market to grow to $124 billion, and $170.4 billion in 2022 (Gartner).

    • “By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts (to 2025) (cybersecurity ventures).

    • U.S. Government spending on cybersecurity: The 2019 U.S. President’s budget includes $15 billion for cybersecurity, a $583.4 million (4.1 percent) increase over 2018. The Department of Defense (DoD) was the largest contributor to the budget. The DoD reported $8.5 billion in cybersecurity funding in 2019, a $340 million (4.2 percent) increase over 2018.

Estimate of potential benefits from improved cybersecurity regulation and compliance

  • Just for the financial sector:

    • The low-ball estimate of costs due to insufficient cybersecurity compliance and regulation:

      • 2 * 15% * 500k record * 75% * 180$/record = 6.75 M per org

    • Social Cost for Fin-tech : low-ball 30 Billion/yr (a mid-level estimate is 500 Billion).

      • 50% reduction would mean ~30/2 to ~500/2 Billion $ /yr.

      • Even a 10% effect would range from 1.5 Billion to 25 Billion/yr.

  • Additionally there are 16 other industries (Public sector, Media..). Potentially multiplying the effect by 17x, to range from 25 to 425 billion per year.

  • And on top of this, security and privacy have trickle down effects like improved democratic processes (e.g. weaker monopolies and stronger elections).

Evidence that cybersecurity is still relatively neglected

  • Market based argument: cybersecurity has a 0% unemployment rate (link)

  • Software positions for security experts routinely go unfilled.

  • Events like the Equifax hack (2017) and SolarWinds are occurring regularly (2020 hacks)

  • Cybersecurity market is forecast to be around $170.4 billion in 2022, which is less than the estimate of social benefit of just improving compliance.

  • Right now we have a dearth of technical people in policy making. (Bridging the Gap).

How effective could policy changes be?

  • Congress is relatively immobile, and the US court system is extremely precedent-based. Any effect on laws + legal cases that occur now will have a strong effect in future laws.

  • There is strong momentum now, and we have a lot of laws and court cases coming up (36 states, D.C. sue Google; Executive Order on Improving the Nation’s Cybersecurity; CCPA; Virginia passes comprehensive privacy bill)

What can people and organizations do?

  • Some top advice right now is simply to “bridge the gap” to develop more intelligent policies. Philanthropy organizations like OpenPhil can fund getting tech people + policy people talking with one another.

  • Organizations like OpenPhil can put more resources in programs like its new tech policy fellows program.

    • See my post on Better Hedges (in Public Interest-Technology)

  • Organizations like OpenPhil can give grants to individuals and other organizations to produce more good standards for security + privacy.

  • Organizations like 80,000 hours can support getting tech people working in government, at places like CISA.

  • I also think that there is room for the creation of an entirely new organization to get tech people to directly consult for policy people.

  • CISA, 18F, the USDS, and CSET have been relatively new organizations that have had a really strong, positive impact on the government. New organizations that are similarly organized are one potential direction (though, this is more of a thought exercise than anything else). As a rough cost estimate:

    • We can estimate that the average tech employee salary is 200k$ in the US. With 10 employees allocated for each of 50 states, and 50 federal level employees. 550 employees * 200k$ = ~110 million dollars.

    • And this is a dramatically larger number than is really needed (180 employees work at the USDS, which has quickly garnered respect in the tech industry and had a positive impact on the US government).

    • I’d guess that a moderate systemic change can be created with only 2 employees per state and 10 at the federal level (~22 million dollars per year).

Related Articles

  • Ransomware Statistics

Share this post

Cause Evaluation: Cybersecurity

technicallyprivate.substack.com
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Roy Rinberg
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing