The authors cited prior research showing worldwide spending on cyber-security is approaching $70 billion per year and growing at 10 to 15 percent annually but said that “it would be an understatement to say organizations are dissatisfied with their security.”
“Companies know what they spend on cyber-security, but quantifying what they save by preventing malicious attacks is much harder to tally,” said Lillian Ablon, a Rand researcher and co-author of the report.
“Cyber-security is a continual cycle of trying to eliminate weaknesses and out-think an attacker. Currently, the best that defenders can do is to make it expensive for the attackers in terms of money, time, resources and research.”
The researchers found that the effect of a cyber-attack on reputation rather than direct costs caused the most concern for chief information security officers.
The report in coordination with Juniper Networks said the cost of managing cyber-security is set to increase 38 percent over the next 10 years across all businesses largely from investment in tools and training, and dealing handling the use of personal devices such as smartphones which connect to corporate networks.
“One of the most challenging issues facing companies is the countermeasures attackers use to evade defenses,” the report said.
“Attackers are constantly developing countermeasures to new security technologies, which limits the relative effectiveness of those tools over time and requires companies to invest in new technologies to take their place.”
Shrouded in secrecy
The researchers said evaluating cyber-security is difficult because so much is shrouded in secrecy. Despite the wave of attacks that have become public in recent months, the methods used by hackers use to infiltrate systems and countermeasures are often kept private.
The report noted that “cyber-security is a hard sell, especially to chief executives” but that there is now greater focus on security measures.
“Despite the pessimism in the field, we found that companies are paying a lot more attention to cyber-security than they were even five years ago,” said Martin Libicki, a co-author of the report.
“Companies that didn’t even have a chief information security officer five years ago have one now, and CEOs are more likely to listen to them.”