I see regular waves of articles and commentary that assert : “We are spending more and more on security but security incidents / breaches are still increasing!”
Is this actually true? Or is it the case that security incidents are in reality decreasing as a proportion of the potential incidents that could occur. Let's think about this.
First, I need to set a low expectation that I’m not going to prove anything here because I don’t have the data - that’s actually part of the problem and why the assertion that things are getting worse should be questioned, because there's insufficient data on that also. There is of course an abundance of increasingly useful data sets and analyses about incidents and breaches including the always great Verizon DBIR report. But, as you’ll see, even they aren’t enough to conclude if things are getting better or worse.
Let me posit that things may well be getting better at a macro level. This is by no means to say things are absolutely great. Security levels are immensely uneven: many organizations have recurring issues and, to paraphrase Brian Snow, many organizations do not have issues simply because of the sufferance of their attackers rather than because of great defenses. Some organizations have great defenses and resist much that is thrown at them. However, many simply get by on average because they surf the efficient frontier of good enough security for most situations in the context of attackers' motivation and economics - but that can change quickly against them.
Anyway, let’s unpack this:
Detected and publicized incidents are generally increasing. It is hard to determine fully whether that is because incidents are increasing or because we are better at detecting them and organizations are more compelled to disclose. But let’s make the reasonable assumption that the incident level, call that X, is in fact increasing.
But you can’t just look at incidents as an absolute number you have to look at this in the context of the attack surface over which there are potential for incidents. Call that Y. This is increasing dramatically as the world continues to digitize, as we become more societally dependent on the useful function provided in that attack surface, and as we contend with the growing scale of the technology that underpins that.
We also have to look at the number of threats that can play against that attack surface. Call that Z. This is increasing, although at some point we have to get better at distinguishing between cyber-attacks and other attacks (fraud etc.) that just happen to be electronically conducted because everything is digitized. In other words, at some point we have to start calling cyber-crime, well........crime.
So to truly know if things are getting better or worse you need to look at a ratio. First, for argument’s sake, say that the scope for incidents is a function of the vulnerable attack surface and the threats arrayed against that : F(Y, Z). For incident levels to be increasing we need to show X / F(Y, Z) is increasing. We’re in trouble if X is increasing faster than F(Y, Z) and there is hope if it is not.
Now here’s the leap, and yes this is very hand-wavy. I would say even without the data I would find it incredible if X were increasing faster than F(Y, Z). In other words if the rate of security incidents as a proportion of potential incidents (fueled by the planet's increasing scope of digital attack surface and the rising number and sophistication of threats) were indeed increasing we would, surely, be seeing massively higher numbers of incidents / breaches.
Now let’s check our assumptions and ask, if X is increasing slower than F(Y, Z) - our optimistic case - why is that so? Is that because:
Attackers don’t have the right economic construct to scale or actually benefit from attacks. Maybe there are, in fact, not enough attackers to exploit the available (vulnerable) attack surface. Are they not industrializing their processes? Is there not enough of them? Is there sufficient deterrence to thwart them scaling their operations? I think this may well be a big driver here, but if we can compel this dynamic by design [raising the cost for attackers] then it might not just be fortune that we can count this in our favor.
Are we under-reporting the number of actual security incidents? That is likely the case since inevitably not all incidents become disclosable breaches - but at the order of magnitude to invalidate our assumption?
Are our defenses [at a macro level] actually holding / improving? To know this we also need another piece of data, that is how many attacks are actually repulsed in aggregate and how intense were those attacks: from trivial attacks to determined planned adversary operations. Call this CPI, not Consumer Price Index, but Control Pressure Index. Like the other CPI we need to watch this carefully. To go with the analogy if we have an excess “inflation” rate then we are in trouble, but if it is increasing in manageable ways then we’re ok. If we are genuinely seeing “deflation” then we might want to be reducing controls and giving back some budget.
I wish I had more answers and data to know which levers to pull or dials to turn to tilt the game in our favor. I am, perhaps inevitably, short term pessimistic. However, I am long term optimistic in that I think that this ratio of security incidents will decrease, we will continue to degrade our attackers through various means, and we will continue to digitize but get better at exposing less vulnerable attack surface, and our CPI inflation will remain manageable.
Bottom line: we really have to move on from concluding too much from raw counts of security incidents / breaches - that is not the full story and it leads us to [perhaps] misguidedly conclude the situation is getting significantly worse. It’s like counting absolute fatalities due to transport safety issues without placing that in the context of passenger miles travelled.