Underinvestment in cyber security: Quantifying cyber security behavior in UK businesses
提出一个框架,将企业网络安全投资行为分为五种类型,并用2018-2024年英国政府调查数据量化各类型比例,发现拖延和过度自信是小企业投资不足的主因,为政策制定提供依据。
Many businesses, particularly small businesses, are underinvesting in cyber security. This exposes them to the risk of costly cyber attack. To address the challenge of cyber security in small businesses a greater understanding is needed of why businesses are underinvesting. To address this challenge, we propose a novel framework to distinguish five behavioral types and quantify the proportion of businesses fitting each type. The types are overconfident, procrastinator, risk accepting, defer responsibility, and optimal. We apply our framework using data from the UK Government’s Cyber Security Breaches Survey from 2018–2024. We find that procrastination and overconfidence are the main reasons for underinvestment in cyber security in small businesses. We also find that small businesses with cyber insurance and/or cyber outsourcing are more likely to be classified as optimal. These results can inform policy interventions that better target the root cause of underinvestment in cyber security.