Intel Security, in partnership with the Center for Strategic and International Studies (CSIS), has released a report into what it calls “misaligned incentives” that could benefit cyber attackers.
The report, titled ‘Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity’, reveals three categories of misaligned incentives: corporate structures versus the free flow of criminal enterprises; strategy versus implementation; and senior executives versus those in implementation roles.
It highlights the ways organisations can learn from cyber criminals to correct these misalignments.
The report was based on interviews and a global survey of 800 cybersecurity professionals. It outlines how cyber criminals have the advantage, due to cyber criminals operating in a “fluid and dynamic marketplace”. Intel also revealed that so-called ‘defenders’ typically work in bureaucratic hierarchies, making it difficult for them to keep up.
It was also found that additional misalignments occur within defenders’ organisations. For instance, while more than 90 per cent of organisations report having a cybersecurity strategy, less than half have fully implemented them.
Furthermore, 83 per cent said their organisations have been affected by cybersecurity breaches, which Intel said indicates “a disconnect between strategy and implementation”.
The report revealed that while cyber criminals have a direct incentive for their work, there are few incentives for cybersecurity professionals. It also found that executives are much more confident than operational staff about the effectiveness of the existing incentives.
For example, 42 per cent of those implementing cybersecurity measures report that no incentives exist, compared to only 18 per cent of decision-makers and eight per cent of organisation leaders.
Candace Worley, vice-president of enterprise solutions for Intel Security, said: “The cyber criminal market is primed for success by its very structure, which rapidly rewards innovation and promotes sharing of the best tools.
“For IT and cyber professionals in government and business to compete with attackers, they need to be as nimble and agile as the criminals they seek to apprehend, and provide incentives that IT staff value.”