I was wondering recently (while reading the seemingly endless stream of press reports about data breaches) why more companies aren't reporting being victims of cyber attacks.
Sure, it can be a fairly painful and embarrassing confession to make in the short term, but if more people were made aware of how defenses can be breached and the potential impact of data loss, the incentive to do something about it would increase.
Not only that, but the markets and media would become more accustomed to such reports and stop announcing them like the outbreak of World War III. In the long term, everyone would benefit from the increased knowledge and the impact would potentially be lessened.
Then I remembered the volunteer's dilemma -- one of several scenarios described by a branch of mathematics called game theory.
In the volunteer's dilemma, every person faces the decision of either making a small sacrifice from which all may benefit or simply waiting for the others to volunteer. If no one volunteers, then everyone loses. If any one person elects to volunteer, then the rest may benefit by not having had to do so themselves.
However, according to the theory, the more organizations involved in the situation, the smaller the likelihood that any of them will volunteer. That's because they all want to reap the benefits from everyone else's selfless acts. It's a paradox.
From our estimates of the cost of cyber crime in the UK (cost to business of approximately £21 billion per annum) and what we see in our cyber security work, we suspect that many organizations are under cyber attack. Targets of particular interest are those rich in valuable intellectual property and sensitive data. The volunteer's dilemma suggests that they're all waiting for someone else to fall on their proverbial sword.
Dilemmas, by their very nature, can be hard to get out of unless other options are presented. For instance, what would happen if companies were forced by legislation to report a breach? What if they could do it anonymously? What if companies came together to discuss breaches in an environment safe from reporting?
A small number of companies have recently decided to go public. There's a slim chance that they've seen the greater good and are just being altruistic, I guess. But perhaps they've found a different way of tackling the issue, which is strong enough to break the dilemma they're in. If that's the case, then maybe there's more we should all be doing -- companies and governments alike -- to create more options.