Cyber-dependent crimes, such as hacking or distributing malicious software, are crimes that could not exist without computer technology and the Internet (McGuire & Dowling, 2013). Although the actual frequency of these crimes against individuals and organizations is still unknown, it is obvious that they are costly and disruptive to their victims and our larger society. Take for example the cyberattack on Colonial Pipeline on 29 April 2021. According to media reports, a group of hackers known as ‘DarkSide’ infiltrated the networks of Colonial Pipeline by exploiting a virtual private network account that was no longer in use at the time of the attack. A little over a week after the initial infiltration, a ransom note appeared on the company’s computers, demanding a cryptocurrency payment. The hackers had stolen nearly 100 gigabytes of data from Colonial Pipeline computers and threatened to leak it if the ransom wasn’t paid.
The employee who discovered the note notified an operations supervisor, who immediately began the process of shutting down the pipeline. Colonial Pipeline paid the hackers a US$4.4 million ransom shortly after the hack. However, they did not reopen their pipeline until their in-house security experts and a team of cybersecurity consultants were able to conclusively determine that the attack had been contained. This resulted in a sudden fuel shortage across the eastern half of the United States (Englund & Nakashima, 2021). This attack is only one of many ransomware attacks in the past few years: according to the Identity Theft Resource Center (2021), 18% of the 878 cyberattacks reported in 2020 were ransomware attacks. Reports from all around the globe document governmental and private organizations being held hostage by ransomware, and many agree to pay the ransom solely to avoid the cost of extended downtime of the organizations. The average ransom costs alone increased from US$115,123 in 2019 to US$312,493 in 2020 (Unit 42, 2021).
Other forms of cybercrime are equally disruptive. Verizon (2021) documented a total of 5,258 confirmed data breaches occurring in 16 different industries and four world regions, just in 2021. Many of these breaches resulted in damages to both the hacked companies and their customers. For example, the luxury department store chain Neiman Marcus disclosed in September 2021 that the personal information of 4.6 million of its customers was compromised during a 2020 data breach of the company’s servers. Some of the compromised information included customer names, addresses, contact information, usernames, and passwords for Neiman Marcus online accounts, and credit card numbers and expiration dates (Sharma, 2021). Hacked customer databases are often uploaded onto darknet platforms for online offenders to use in their ever-ongoing online fraud operations.
Meanwhile, Distributed Denial of Service (DDoS) attacks, spamming, and malware campaigns are constantly growing in both intensity and volume. Voice over IP (VoIP) providers are common victims of DDoS attacks. One major attack, on VoIP.ms, started on 16 September 2021, targeting their domain name system (DNS) name servers and other infrastructure to disrupt telephony services. This resulted in customers being unable to make or receive calls (McKeever, 2021).
In this climate of ever-evolving transnational crime, numerous cybersecurity companies offer a wide range of services to reduce individuals’ and organizations’ cybercrime risk. Starting with application and endpoint security solutions, going through network security tools, and ending in risk assessment and threat intelligence products, these cybersecurity companies promise to strengthen their customers’ cybersecurity infrastructure and reduce the probability of cybercrime victimization. A recent cost assessment by Proven Data reveals how pricy these services may get. For example, firewall protection (including product cost, installation fees, and monthly/yearly subscription) is expected to cost between US$1,500 and US$15,000, depending on the size of the client network and the client’s security needs.
For other services, most businesses pay US$3–$6 per user per month for quality email protection, between US$3 and $5 per user per month for basic antivirus on their workstations, and another US$5–$8 per server per month. The average cost for endpoint detection response ranges between US$5 and $8 per user per month and US$9–$18 per server per month, and the cost for two-factor authentication can be US$0–$10 per user per month. Finally, the cost for a vulnerability assessment ranges between US$1,500 and $6,000 for a network with 1–3 servers and between US$5,000 and $10,000 for a network with 5–8 servers, while the pricing for network monitoring can range between $100 and $500 per month for a small-sized network and US$500–$2,000 per month for a medium-sized network (Proven Data, 2021). Unfortunately, our knowledge regarding the effectiveness of these services and tools is limited. Therefore, it is impossible to tell how successful they are in preventing and mitigating cyberattacks. These circumstances led Anderson and Moore (2006) to describe cybersecurity as a ‘market for lemons.’
Akerlof (1970) coined the term ‘market for lemons’ to describe a market failure in which the quality of goods traded in a market is devalued in the presence of information asymmetry between buyers and sellers. In his classic example, Akerlof described a situation in which potential buyers of a used car have less information about the car than the seller does, simply because the seller knows the history of the car they are offering for sale. Under such market conditions, the buyer agrees to pay a fixed price that averages the price of a defective car (‘lemon’) and a good car (‘peach’) car. According to Akerlof, the quality of the cars traded in this market can degrade, leaving only lemons in the market. Sellers know whether the car they’re selling is a peach or a lemon, but selling the peaches at a lower rate (due to the lemon prices bringing the average down) would cause them to lose money. Thus, they will withdraw the peaches from the market. This reduces the average willingness-to-pay of buyers even further, drives prices down, and may even result in the collapse of the market.
A similar information asymmetry exists in the cybersecurity market, where cybersecurity consumers have less information about security products and services than cybersecurity vendors do. In fact, some vendors don’t even have enough information to defend the security products they sell. In this kind of market, consumers are not willing to pay high prices for cybersecurity products, so instead they ‘gamble’ on the security of their organizations with the deployment of cheaper products. If vendors of high-quality cybersecurity products cannot meet production costs for an average market size, they may exit the cybersecurity market altogether, leaving behind a market dominated by low-quality cybersecurity products.
One of the solutions for a market for lemons is changing the information asymmetry between consumers and vendors. For example, using Akerlof’s (1970) example of a used-car market, buyers can become more informed about the quality of the used car they are considering by hiring a mechanic who can inspect the car on their behalf. Such inspections will reduce the information asymmetry but may be costly in their own right. A similar change in the information asymmetry regarding the effectiveness of cybersecurity products and tools is desirable within the cybersecurity ecosystem. To drive this change, we propose using the evidence-based approach to guide practitioners’ and scholars’ efforts to generate empirical evidence around cybersecurity tools and policies. This book aims to explain the basic tenets of the evidence-based approach in cybersecurity and demonstrate its relevance for guiding consumers’ decisions before, during, and after they implement security technologies.
THE EVIDENCE-BASED APPROACH
The evidence-based approach establishes best practices and effective policymaking by moving beyond decision-makers’ political, financial, or social background, as well as their personal experience, when deciding which professional practices and policies to implement. Instead, this approach adopts tools and policies based on scientific findings. Scientific evidence should support the ongoing, methodical quest to differentiate between unsystematic ‘experiences’ or ‘common sense’ and systematic facts observed by testing research hypotheses using rigorous research designs.
Accordingly, rigorous scientific research designs including field experiments, longitudinal surveys, and observations should be deployed to generate evidence that could identify best practices and policies. In addition to strengthening the research process, a crucial component of the evidence-based approach is translating research findings into a format that is accessible and easy to digest for professionals in the field. The overarching goal of this approach is to give practitioners easy access to relevant scientific research, which in turn they can use to address problems and issues in their respective personal and organizational contexts.
The usefulness of the evidence-based approach has been demonstrated in a variety of fields and through numerous evaluative programs. Below, we discuss three poignant cases in which the implementation of evidence-based practices – in the fields of medicine, policing, and education – resulted in significant improvements in the human condition.
EVIDENCE-BASED MEDICINE
Polio was once one of the most feared diseases in the US. Also known as poliovirus or PV, polio is a disease resulting from lower motor neuron damage, characterized by flaccid paralysis (Baicus, 2012). Polio outbreaks became frequent and severe, especially in the US and Europe, at the beginning of the 20th century. By the late 1940s, the Centers for Disease Control and Prevention reported that polio was disabling an average of 35,000 people a year in the US alone (CDC, 2021). Most of the victims of this disease were children. Many parents were terrified for their children’s health and kept them isolated in fear that they would catch the disease.
A charitable organization founded in the late 1930s, the National Foundation for Infantile Paralysis (NFIP), took it upon itself to fund research in aim to eradicate polio. Over a period of 20 years, the NFIP launched a massive information campaign and funded several attempts to develop a polio vaccine. However, it wasn’t until 1953 that Jonas Salk and his team revealed findings from a series of lab experiments they had performed – first with monkeys and later with a small group of children – that s...