The Economy Behind Cybersecurity

The fight against cybercrime needs a comprehensive approach. Given that technical measures alone cannot prevent any crime, it is critical that law enforcement agencies investigate and prosecute cybercrime effectively

Cyber-attacks such as WannaCry and NotPetya, affected thousands of computers, disrupting businesses and public institutions around the world. Investigation of cybercrimes often has an international dimension, and it is an arduous task to identify and catch the culprits. However, the existing international cooperation on cybercrime is a fragmented one, which complicates investigations and risks leaving the perpetrators at large.

In most of the cybercrimes, whether economic fraud, data breach, identity thefts, the chances of perpetrators getting caught is infinitesimal. Hence cybercrimes become a less risky and more lucrative business and keep cybercriminals motivated to continue attacks.  Leaving the organization and companies with no other options than investing more and more on securing their data and trying to build comprehensive solutions to prevent hackers from attacking their networks. IT budgets are shrinking and but security budgets are going up. There are now security department under a CSO, or a risk officer, which are being allocated a lot of budgets. Studies say global spending on information security products and services will surpass $114 Bn in 2018, an increase of 12.4% from last year.

Why prevention is no longer enough for cybersecurity

Technology solutions alone are simply not enough to stop pervasive threats. A holistic approach to cybersecurity is necessary to effectively tackle cyber threats. Organisations, of any nations, that operate solely on the belief that security merely starts and ends with a set of purchased security technology tools are still leaving themselves vulnerable to threats and attacks.  If the cybersecurity program of a country deals only with technology and does not

address elements like organization, culture, human factor and legal measures it cannot effectively address cybersecurity. The holistic approach for cybersecurity mainly contains three aspects, (a) Building robust cyber secure infrastructure (b) Addressing human dimensions of cybersecurity and (c) Legal measures to nail cybercriminals. (Refer the above flowchart).

• Building Robust cyber secure infrastructure

Recently, there is a huge rise in the volume and sophistication of the cyber threat environment. To be able to combat the increasing threat landscape, organizations must have a robust cybersecurity framework to ensure that they are adequately protected from cyber-attacks. Cyber-attacks have a direct effect on security spend. A large portion of security spending is driven by an organisation's reaction toward security breaches as more high-profile cyber-attacks and data breaches affect organisations worldwide. Investment in Cybersecurity is the need of an hour, but the bigger question is “Can you have the assurance of 100% safety from cyber attacks after building a robust infrastructure”? the answer is big “NO”.

No matter how robust the immune system, individuals will fall sick at some point and will have to be taken to hospitals.

• Human dimensions of cybersecurity

Research studies show 90% of all cyber attacks stemmed from some type of human error or behaviour. People, the weakest link in the cybersecurity chain. The Information Commissioner’s Office, United Kingdom reported that 93% of incidents it investigated in Q4 of 2016-17 were caused by human error. The ‘people’ factor is often ignored, which is the most critical element in building a strong defence.

Over the course of the last few years, it’s been hugely gratifying to see interest in the human side of cybersecurity grow. Focusing on awareness of cybersecurity issues is probably higher than ever, but we are not seeing much progress when it comes to changing behaviors. Although we recognize how difficult it is to make progress with the human side of cybersecurity, it often seems that expertise in the human factors is still not valued by the industry as highly as technical expertise.

If any organisation thinks, just by giving short-term training to the employees on disciplined online behaviour will take care of human dimensions and errors, then they are grossly mistaken. The cyber security concept and the online behaviour should become part of socialisation and adopted as culture, right from early age.

• Legal infrastructure to nail cybercriminals

For cybercriminals, the idiom "crime doesn't pay" is laughable. Internet crime is worse than ever, and the reasons are clear: It's highly lucrative and far less risky than old-fashioned traditional crimes. Commit traditional crimes and have high chances of landing in jail but steal someone's identity and your odds of being caught are almost infinitesimal. Not to blame any law enforcement agency, discovering and prosecuting cybercrimes is possibly harder than any other area of law enforcement. Rules of evidence requirements, as well as cross-national boundaries, make Internet crime especially difficult to track and prosecute.

Difficulties in prosecuting of Cybercriminals

• One of the greatest impediments to reduce cybercrimes is the anonymous nature of the identity of cybercriminals. There is no easy means of identifying who is doing what and where is a user of the Internet situated at any point in time.


• Cybercrimes have only one jurisdiction, that is, the entire world; by so doing, the extant laws and policies which are fragmented, national, regional or quasi-international cannot possibly cope with the problems engendered by cybercrimes. The cybercrime laws shall continue to suffer from enforcement challenges.


• The enforcement of cybercrime laws has largely been hampered due to inadequate legislations and the ineffectiveness of same where there are extant laws in place for cybercrimes. The inference from statistics shows that only less than 40% of countries in the world have laws forbidding cybercrime.


• Cybercrimes are borderless, transnational and international crimes and which said crimes, are committed in the cyberspace; but the majority of the laws and policies dealing with cybercrimes to date, are either national or regional.


• Nature of evidence and its collection is the biggest challenge in the enforcement of cybercrime laws wherever attempts are made anywhere across the globe.

Ground reality

The absence of a global consensus on the types of conduct that constitute a cybercrime; the absence of a global consensus on the legal definition of criminal conduct; the inadequacy of legal powers for investigation and access to computer systems, including the inapplicability of seizure powers to computerized data; the lack of uniformity between the different national procedural laws concerning the investigation of cyber crimes; the lack of extradition and mutual legal assistance treaties, synchronized law enforcement mechanisms that would permit international cooperation in cybercrime investigations, and last but not the least the Geopolitics will never allow the cybercriminals to be brought before justice.

In most of the organisation, the area of investments (refer red circle in the flowchart) are mainly focused on technology solutions (building robust infrastructure) and a little bit of human dimensions of cybersecurity. Nobody is seriously addressing the need of building international legal infrastructure and cooperation, with a strong enforcement mechanism to nail the cybercriminals.

If the international community is not coming to a consensus on legal measures to deter cybercriminals, can’t we say that the cyber-attacks, data breaches, and other online crimes are part of design meant only to sell the products and boost their business called as “CYBERSECURITY”?

K Sanjay Kumar, an IPS officer of 2005 batch, Kerala cadre, is a socially conscious cop, a well-known cyber expert, and an author of the must read book “IS YOUR CHILD SAFE?”...

[The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of LiveLaw and LiveLaw does not assume any responsibility or liability for the same]