Navigating the cybersecurity labyrinth: Defining “reasonable” standards for businesses

The digital economy now accounts for over 10% of U.S. gross domestic product (GDP) and has grown at an annual rate of 7.1% between 2017 and 2022, which is over three times as large as the rest of the economy, according to the Bureau of Economic Analysis. While the benefits of the expanding digital economy have often been clear, the risks are sometimes hidden and hard to quantify, particularly those that arise from cybersecurity vulnerabilities and hacks. 

Quantifying damages

People have long debated the harms of cybersecurity attacks. For example, a 2018 RAND report (Dreyer et al., 2018) found that the direct costs of cybercrime range between $275 billion and $6.6 trillion globally, and total costs are $799 billion to $22.5 trillion. Others have put the cost of the average attack at $1.1 million to $4.45 million. Estimates vary markedly in part because most studies either take a survey-based approach where respondents are asked the cost of a data breach—which produces highly variable and often questionable numbers—or a stock market-based approach where returns are compared before and after a data breach—which also delivers unreliable estimates since the market often does not know how to react. 

Recent research has found that the average-sized, publicly reported data breach has a positive effect on firm reputation, presumably because of the increase in media attention and visibility that follows, but the largest data breaches are linked with declines in reputation. This shows that data breaches can have very different effects on an organization based on the context and scale as well as media coverage. It also shows that the stock market may not necessarily reflect the true social costs of a data breach, potentially due to the ambiguity of the breach (i.e., the damages are not yet clear) or due to a lack of investor attentiveness (i.e., apathy). 

To better understand the economic consequences of data breaches, Andreadis et al. (2023) draw on detailed longitudinal data on municipal bonds between January 2012 and December 2022 to study how yields among bonds issued in different counties within a given state evolve in response to local municipal data breaches. They find that there is a robust and economically meaningful effect of data breaches on offering yields that affect the cost of raising new capital and financing public expenditures. These effects are driven by media coverage and salience, highlighting how information about attacks plays a major role in explaining the economic aftermath. The municipal data overcomes many of the classic concerns with existing cost estimates because of the larger sample and greater variation in yields across municipalities.  

Best practices and “reasonable cybersecurity”

Experts generally recognize that cybersecurity threats cannot be completely eliminated, but adherence to best practices can substantially mitigate the risk.  

As threats continue to evolve, an important question persists: What constitutes “reasonable” cybersecurity? The answer to that influences how an organization manages their risk, as well as the liability they face from regulators. However, the absence of regulatory clarity has left it to the courts to craft an appropriate standard, which has its own costs and benefits.  

The question of what constitutes “reasonable” cybersecurity is not just a matter of academic interest; it has substantial legal and policy implications. From a legislative standpoint, the concept of “reasonable” is challenging as it requires a balance between specificity—to provide clear guidance—and flexibility—to account for the fast-paced changes in the cyber realm. Legal precedents are equally ambiguous, with courts typically considering factors like financial resources and technological expertise but no standard definition to benchmark against. 

From a business perspective, “reasonable” is similarly perplexing. The wide array of different state-level laws and industry norms creates a complex environment for organizations to navigate. Internationally, this issue is also prominent. For instance, both California’s Consumer Privacy Act (CPRA) and the EU’s General Data Protection Regulation (GDPR) call for “reasonable” cybersecurity, yet what’s deemed “reasonable” varies greatly depending on the interpretation and the context. 

We recently published an article in the Yale Journal of Law and Technology (Shackelford et al., 2022), which used data collected in collaboration with the state government of Indiana to define and help understand the concept of “reasonable” cybersecurity and examined its impacts on businesses, particularly small and medium-sized enterprises (SMEs). Drawing on 197 responses from organizations which we analyzed and related to the legal literature and precedent on reasonable cybersecurity, our study revealed some systematic differences in the security practices adopted by critical infrastructure organizations compared with non-critical infrastructure organizations. Furthermore, SMEs, compared to larger organizations, faced increased confusion and risks due to the uncertain nature of cybersecurity best practices. 

Cybersecurity practices: Critical vs. non-critical infrastructure

Figure 1 documents notable differences in cybersecurity practices between organizations considered part of the critical infrastructure and those not (Shackelford et al., 2022). Critical infrastructure organizations typically involve sectors that are vital to a nation’s functioning such as energy, transportation, healthcare, and finance. Disruptions to these sectors can have profound impacts on security, economic performance, public health, and safety. 

Critical infrastructure organizations are more likely to have robust cybersecurity practices in place in part because of more stringent, sector-specific legal requirements such as HIPAA for healthcare and Sarbanes Oxley for finance. Notably, the adoption rate of leading frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the Center for Internet Security (CIS) Critical Security Controls was also considerably higher among these critical infrastructure organizations. The NIST CSF provides a high-level policy framework of computer security guidance and is primarily aimed at private sector organizations that operate the vast majority of U.S. critical infrastructure, whereas the CIS controls are specific controls that are designed to mitigate a range of cyber threats.  

Other user-friendly approaches are also gaining traction. The Center for Applied Cybersecurity Research at Indiana University has established a broader set of governing principles around information security practices, including: comprehensiveness (Am I covering all the bases?), opportunity (Am I taking advantage of my environment?), rigor (What is correct behavior and how am I ensuring it?), minimization (Can this be a smaller target?), compartmentation (Is this made of distinct parts with limited interactions?), fault tolerance (What happens if this fails?), and proportionality (Is this worth it?). The Center is also doing important work on mapping core security controls between the Center for Internet Security (CIS), Trusted CI Framework, and the NIST CSF, and these controls help promote a set of general operating procedures.  

The discrepancy in adoption between critical and non-critical infrastructure organizations might be attributed to the heavier regulatory requirements faced by the former organizations. Given the potentially devastating consequences of a cyberattack on critical infrastructure, companies in these sectors are often under greater scrutiny and regulatory oversight. However, Desai and Makridis (2022) argue that legal definitions of critical infrastructure are inadequate—indeed, many traditionally non-critical infrastructure organizations, namely those in professional services, also manage sensitive data and can face severe repercussions from cyberattacks, necessitating robust cybersecurity practices in these sectors as well. In this sense, we should think about critical infrastructure less as a time-invariant industry classification and more of a time-varying exposure that organizations have to vendors in their supply chain. 

Size matters: Cybersecurity practices in SMEs vs. larger organizations

 The differences become even more pronounced when we look at cybersecurity practices between small and larger organizations. Despite facing many of the same threats, we found that SMEs lag in adopting comprehensive cybersecurity practices compared to their counterparts. 

Consider the adoption of cyber-risk insurance. Cyber-risk insurance has long been thought of as an integral component of how organizations of all sizes in both the public and private sectors should manage their cyber risk exposure. As a result, insurance firms have been experimenting with cyber-risk insurance policies for decades. Estimates by PWC indicate the market was worth more than $2.5 billion in 2020 with projections of $7.5 billion by 2030, a trend that could be reinforced by regulatory and technological developments along with the perception of spiraling losses to threats such as ransomware. However, adoption of cyber insurance has been slow. Deloitte’s 2019 Middle Market Cyber Insurance Survey reported cost and coverage limits being the main deterrent from purchasing cyber risk insurance. These factors, particularly escalating cost driven in part by the COVID-19 pandemic along with confusion over the bounds of exclusions such as “acts of war” and “hostile acts,” were also apparent in our study. Nearly twice as many medium to large organizations reported having cyber risk insurance in comparison to small organizations.  

Cyber risk insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. However, rising premiums, coupled with the complexity of some of these agreements, have placed some barriers to purchasing insurance, especially among smaller organizations. In this sense, though smaller organizations exhibit lower demand for cyber insurance, the lack of coverage nonetheless exposes SMEs to potentially devastating financial losses in the wake of a cyber incident. 

Further, fewer SMEs reported having a designated person or team responsible for cybersecurity. This lack of dedicated resources and expertise can hamper an SME’s ability to detect and respond to cyber threats promptly, increasing their vulnerability. Moreover, SMEs tend to invest less in employee training and awareness programs, which are critical in minimizing human-related cyber risks. These results from our survey in Indiana are consistent with related literature, including Aldasoro et al. (2022) who show that larger firms tend to spend the greatest share of resources on combating cybersecurity threats. 

We have argued that these differences can be attributed to several factors. Limited financial and human resources are chief among them. SMEs often operate on tighter budgets, leading to cybersecurity being deprioritized in favor of more immediate operational costs. Additionally, the rapidly evolving nature of cyber threats and the perceived complexity of implementing cybersecurity measures can make it difficult for SMEs to know where to start. 

These findings highlight the urgent need for a more comprehensive approach to cybersecurity, especially among SMEs. The prevalence of digital technologies in business operations means that all businesses, regardless of size or sector, are potential targets for cyber-attacks. 

While there is no one-size-fits-all solution, it’s clear that we need to better support SMEs in their cybersecurity efforts. This support could take many forms, including educational initiatives, incentives for adopting best practices, or streamlined, affordable cybersecurity solutions designed specifically for small businesses. 

Establishing best practices

While there is no silver bullet for removing cybersecurity risk since all code inevitably has vulnerabilities and every organization is subject to the behavioral lapses of judgment of its employees that may get baited into a phishing attack, there are standards that we can converge towards. The Australian Cyber Security Centre’s (ACSC) Essential Eight is a strategy for mitigating cybersecurity incidents. The Essential Eight strategies are recommended to all organizations to help protect their systems against the most common cyber threats and are required for government agencies and critical infrastructure. The Essential Eight is part of the ACSC’s broader Strategies to Mitigate Cyber Security Incidents. 

The Essential Eight includes four mandatory strategies to mitigate targeted cyber intrusions and four additional strategies to further protect data and systems.  

• Application whitelisting: This means only allowing approved applications to run in your systems. Any unapproved software, including potentially malicious programs, is thus prevented from executing. 
• Patch applications: Regularly patching applications is essential. This means updating your software applications as soon as manufacturers release patches, which often include fixes to known security vulnerabilities. 
• Disable untrusted macros: Macros can be used to automate tasks in Office documents, but they can also be used maliciously. Disabling macros, such as from Office files received from the Internet, can help to prevent these threats. 
• User application hardening: This involves disabling unneeded features in applications (like web browsers), which can minimize their vulnerability to attacks. 
• Restrict administrative privileges: By limiting administrative privileges to necessary users and applications, you can reduce the potential for malicious activity to have high-level access to your systems. 
• Patch operating systems: This is similar to patching applications. When manufacturers release patches to their operating systems, these should be applied as soon as possible to protect against known vulnerabilities. 
• Multi-factor authentication: Requiring more than one method of authentication significantly reduces the chances of successful unauthorized access. 
• Daily backups: Regularly backing up important data and ensuring it can be restored is crucial. This provides a safety net in case of a serious security incident. 

Implications for policy and practice

In March 2023, the Biden administration released a new National Cybersecurity Strategy that called on Congress to impose liability for “data losses and harm” stemming from software bugs and errors while arguing that “markets impose inadequate costs on—and often reward—those entities that introduce vulnerable products or services into our digital ecosystem.” 

There is some merit to this argument. After all, as we discussed earlier, the costs of cyberattacks are large and far-reaching with some estimates projecting losses more than $10 trillion by 2025. Although quantitative estimates vary, they still shine a light on the problem.  

The situation we have found ourselves in is not by chance: We are experiencing a cybersecurity market failure given the extent to which such large costs have yet to significantly change decision-making. It’s notoriously difficult, for example, to use cost-benefit analysis to defend cybersecurity investment decisions due to the challenge of defining the avoided costs and the complexity of deciding where to put that next dollar of investment, i.e. into multi-factor authentication, encryption, an insurance policy, or cyber hygiene training for your employees.  

Imposing liability, as the Biden administration suggests, holds the promise of clarifying minds and the underlying math, at least for breaches that are the fault of the software developer. The power of liability to realign incentives is already on display in certain sectors that face it due to a series of sector-specific laws such as Gramm-Leach Bliley for the financial sector. For example, when you get a fraudulent charge on your credit card, you ultimately don’t pay for it, but your bank does. As a result, the financial industry has an incentive to take the cybersecurity of your information seriously – and it shows in their spending with hundreds of billions being allocated to cybersecurity annually at an average of $2,300 per employee. If banks were required to share in the liability for data breaches or fraudulent charges, the system would look different. 

Applied more broadly, the imposition of liability could address continuing cybersecurity challenges in a manner that would dramatically change the calculation for businesses moving from a more reactive to proactive cybersecurity stance, with major implications for innovation and the cost of software. It’s also an understandable reaction to Congress’s failure to impose liability on iInternet platforms and social media firms back in the 1990s for the content that’s hosted on their sites. 

Educational initiatives aimed at improving cybersecurity practices amongst SMEs are another important step. A number of government agencies—including NIST, the Federal Trade Commission, and the U.S. Small Business Administration—publish cybersecurity information aimed at small businesses. However, there is still much to study about how small businesses consume and act on cybersecurity information, a critical step in encouraging stronger cybersecurity practices amongst these critical economic actors. Researchers should focus on identifying ways to ensure these educational resources reach and are used by their intended audience. Such information could inform policymakers on how to disseminate their educational initiatives most effectively to SMEs. Trade associations also have a role to play in the educational process by explaining to their members the best practices in managing cybersecurity risks. 

Policymaking efforts should acknowledge and address the observed disparities in cybersecurity practices between SMEs and larger organizations. Tailored interventions could include offering incentives through the tax code, as Maryland has done; providing support; and fostering a better understanding of best practices for SMEs. Specifically, the Maryland Cybersecurity Investment Incentive Tax Credit (CIITC) offered a 33% tax credit for up to $250,000 in select cybersecurity business investments; this program was later expanded into a more general innovative investment tax credit.  

Moreover, it is crucial to strike a balance when defining “reasonable” cybersecurity. A sliding scale approach that considers factors like the sensitivity of the information involved and criticality of the services provided—but with baseline requirements reminiscent of the Essential 8 mitigation strategies—appears to be a practical way forward. Legislation such as Ohio’s safe harbor law, offering businesses a choice of different cybersecurity frameworks to adopt, could serve as a model for future legislative endeavors. In particular, the specificity of the law and flexibility that it provides to covered entities makes it stand apart from other states that require a minimum standard of care without creating it in the legislation. Colorado law, for example, requires covered entities to take “reasonable steps to protect PII” but frames the requirements that entities are required to take in terms of general duties as opposed to technical requirements. 

We found that confusion abounds regarding where to put the next dollar of cybersecurity investment, particularly on the part of SMEs and local governments. A clear cybersecurity “floor,” perhaps starting with critical infrastructure providers and basics enshrined in the Essential 8 such as multi-factor authentication, would go a long way to helping to clarify this calculus. Indeed, the Biden administration itself has called on Congress to “define minimum expected cybersecurity practices or outcomes” for critical infrastructure providers.  

But this is but a first step in navigating the labyrinth of cybersecurity policy. Our study uncovered a pressing need to help instill proactive cybersecurity measures and ensure that the essentials such as creating and updating incident response plans are widely practiced.  

Cyber risk insurance also continues to play an important role in cyber risk mitigation, but too many organizations, including local governments and nonprofits, cannot afford it. Those that can are confused by the terms, exclusions, and their options. Civil society, academia, and policymakers can lend a helping hand in this regard, such as by helping public sector entities better understand their cyber risk exposure and thus the insurance coverage they may need to mitigate it.  

In this digital age, the pursuit of “reasonable” cybersecurity is a complex but necessary endeavor. No single checklist or framework will get us there. But a combination of imposing liability on developers for buggy code and clarifiying requirements for cybersecurity operations for all critical infrastructure operators would help a great deal. After all, SMEs are particularly vulnerable and often struggle to understand and implement effective cybersecurity measures. By providing clear guidance, offering support, and incentivizing the adoption of strong cybersecurity practices, we can start to close the cybersecurity gap that currently exists. Policymakers, cybersecurity professionals, and business leaders alike have a shared responsibility to demystify cybersecurity. 

References 

Andreadis, L., Kalotychou, E., Louca, C., Lundblad, C., and Makridis, C. A. 2023. Cyberattacks, Media Coverage and Municipal Finance. SSRN working paper. http://dx.doi.org/10.2139/ssrn.4473545  

Aldasoro, I., Gambacorta, L., Giudici, P., and Leach, T. 2022. The drivers of cyber risk. Journal of Financial Stability, 60: 100989. https://doi.org/10.1016/j.jfs.2022.100989  

Desai, Deven, and Christos A. Makridis. (2022). Identifying Critical Infrastructure in a World with Network Cybersecurity Risk. Jurimetrics: The Journal of Law, Science, and Technology. (winner of the Loevinger Prize). https://www.americanbar.org/digital-asset-abstract.html/content/dam/aba/publications/Jurimetrics/winter2022/identifying-critical-infrastructure-in-a-world-with-supply-chain-and-cross-sectoral-cybersecurity-risk.pdf  

Dreyer, P., Jones, T., Klima, K., Oberholtzer, J., Strong, A., Welburn, J. W., & Winkelman, Z. (2018). Estimating the global cost of cyber risk. Research Reports RR-2299-WFHF, Rand Corporation.https://www.rand.org/content/dam/rand/pubs/research_reports/RR2200/RR2299/RAND_RR2299.pdf   

Makridis, C. A. (2021). Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018. Journal of Cybersecurity, 7(1), tyab021. https://doi.org/10.1093/cybsec/tyab021  

Shackelford, S., Boustead, A., and Makridis, C. A. (2022). Defining “Reasonable” Cybersecurity: Evidence from the States. Yale Journal of Law and Technology, 25. https://yjolt.org/sites/default/files/shackelford_scott_et_al._-_reasonable_cybersecurity.86.pdf