Protecting against cyber attacks means tackling rational inattention
Cybersecurity, highlighted by recent attacks on the Co-op and Marks & Spencer, is not just a technical challenge but also a human and economic one, says Paul Ormerod
Cyber security has featured prominently in the media, following the attacks on the Co-op and Marks and Spencer.
The Co-op has recovered rather the better of the two. By taking their IT systems offline, they suffered more immediate damage, with empty shelves in many stores. But by so doing, they both prevented a ransomware attack and made the problem easier to remedy.
Their action prompted the criminals to complain, as old-fashioned burglars used to when breaking into coin-operated electricity meters and finding pennies filed down to resemble coins of a higher denomination. They accused the company of “torching shareholder value” – by preventing a ransomware attack!
Cyberattacks involve illegal activities. But otherwise it is an industry just like any other such as cars or televisions. It has firms which develop and supply products. It has business-to-business markets where bits of kit can be traded. It has business-to-consumer markets, although in this case the “consumers” such as Marks and Spencer are not exactly demanding its products.
A key feature of this industry is its rapid pace of innovation. At a basic level, simply reflect on how often your laptop or smartphone demands that updates be installed. Most of these are part of the ongoing evolutionary game which is played between the would-be attackers, and the defenders who want to prevent disruption to their systems.
But providing cyber security involves far more than being good at technological innovation, essential though this is.
Human motivations and incentives are also a key part of the defence against cyberattacks.
An important aspect of this is the phenomenon which economists describe as “rational inattention”. Even the smartest and most productive individual has limits to the bandwidth which he or she can deploy. Not everything can be given the same degree of attention.
Companies will often have many operating procedures in place. But staff may not follow them to the letter, discovering short cuts, especially when the chances of anything going wrong are perceived as being low.
Hackers move in where threats are perceived as less likely
For example, from the outset of the pandemic I thought it was wrong to dismiss the lab leak hypothesis. Three researchers from the Wuhan Institute, along with some American scientists, had published a paper in Nature Medicine, a very prestigious outlet, in 2015 with the title “A SARS-like cluster of circulating bat coronaviruses shows potential for human emergence”. Wuhan was working on the issue. A lab technician finds a short cut in the security process, which almost all the time is secure. Except the rare event happens and the virus escapes. All very plausible.
The same principle applies to cyber security. Staff rationally pay less attention to areas where threats are perceived as being very unlikely, and the hackers move in.
Rational inattention prevails in many boardrooms. The probability of a damaging attack is thought of as low, and so other items on the agenda consume the time and energy of the members.
More generally, from a national security perspective, the low level of priority given to security by the individual companies creates what is known as a “negative externality”.
Firms which underinvest in security do not bear the full costs of their actions. The Co-op itself suffered, for example, but so too did its many suppliers, who lost sales. The end result is that the level of security at the national level is lower than is desirable.
Externalities are a very familiar concept in policy making. On climate change, for example, the negative externalities of emissions has led to a whole raft of taxes and subsidies designed to offset them.
The government must start regarding cyber threats in the same way and come up with a policy package to enhance national security.
Paul Ormerod is an Honorary Professor at the Alliance Business School at the University of Manchester, an economist at Volterra Partners LLP, and author of Against the Grain: Insights of an Economic Contrarian, published by the IEA in conjunction with CityAM