CYBERSECURITYMarket Incentives and Cybersecurity: Fixing the Broken System Before It Breaks Us
Cybersecurity is not just an IT issue; it is a shared responsibility and an economic imperative. Only by ensuring resilience can we confidently adopt new technology and realize its benefits. The next horizon of the cyber security strategy would require a mix of incentives—including regulation, market forces and cultural change—to realize the objective of building a secure and resilient digital economy.
Is it possible to use the free market to drive the right incentives for organizations to appropriately prioritize cybersecurity? This was the subject of a recent discussion hosted by the University of New South Wales Institute for Cyber Security in partnership with MDR Security, bringing together leaders from government, industry and academia. Many of the discussions, held under Chatham House Rule, were relevant to the development of the 2023–2030 Australian Cyber Security Strategy’s second horizon, which aims to scale Australia’s cyber maturity across the economy. Market incentives can play a major part in developing two of the strategy’s priorities or ‘shields’: strong businesses and citizens, and safe technology.
Participants agreed that market incentives were important, but the approach needed to be tailored for different audiences. There are some encouraging examples of the use of market mechanisms in other industries. For example, producers of free-range eggs charge a premium for their product, and many customers will actively choose such products because of their perceived benefits.
The government can drive desired behavior in various ways. This could include defining voluntary standards to inform consumers—such as the labelling regulations currently under development for the Internet of Things—and ensuring that organizations maintain transparency and accountability with stakeholders around how well they are managing cybersecurity risk. Government agencies can also use its procurement rules to encourage specific standards and certifications, including assessments through the Infosec Registered Assessors Program for systems that handle government data, as well as Defense Industry Security Program membership for defense supply chain companies.
One of the proposals made during the discussion was to change Australian Stock Exchange listing rules to link bonuses for board members to cybersecurity outcomes. The Qantas board’s decision to reduce short-term incentives for executive members in the wake of a major cyberattack in June could provide a template for this model. The government could also consider how the tax system could be used to encourage certain behaviors though the use of targeted incentives and tax relief, among other measures.
Education was also seen as vital. Generic campaigns could not only teach consumers to ask the right questions but also create a societal expectation to maintain cybersecurity. The example of free-range eggs also shows us what social pressure can do. There is also a need for more focused guidance for different end-user communities to help them to make appropriate risk-based decisions around how they choose and engage with technology.
