On Thursday, Microsoft released a new study entitled The Cybersecurity Risk Paradox. The new report focuses on specific ways that social and economic factors affect cybersecurity outcomes worldwide. It is a follow-up study that builds on the earlier learnings of a study released last year entitled Linking Cybersecurity Outcomes and Policies.
In Linking Cybersecurity Outcomes and Policies, we took malware infection data from our Microsoft Security Intelligence Report and compared it to international socioeconomic statistics in three categories – digital access, institutional stability and regime stability. We were then able to identify the key social, economic and technological factors critical to enhancing cybersecurity.
The Cybersecurity Risk Paradox
We decided to expand on last year’s findings by seeking to understand more about the linkage between changes in national development and cybersecurity over time, and particularly to explore how cybersecurity is changing in countries that are still developing technological capacities. Globally, we found that digital access, institutional stability and economic development were predictors of malware infection rates.
However, the model also revealed a paradox that stems from the modernization of information and communications technology. While increased Internet access and more mature technological development is correlated with improvement in cybersecurity at the global level, it has the opposite effect among countries with developing economies and lower levels of technological development. Specifically, we saw that as these countries increased their digital access, they experienced a rise in malware rates.
This suggests that countries with a developing level of technology usage may be unprepared to secure their technology infrastructure commensurate with the increase in citizen use of computer systems, which provides greater opportunity for malware to spread unchecked. These countries are typically less mature in their security capabilities for newly deployed technologies, which helps explain why regional malware infection-rate increases are observed as digital access increases.
The Tipping Point
However, there appears to be a certain level of technology maturity at which countries develop enough technological sophistication that they can curb the growth of malware, which we refer to as the tipping point. When a country crosses the tipping point, increased access ceases to encourage the growth of malware and begins to reduce it. Improving digital access after that point correlates with improved cybersecurity – the effect observed in more technologically mature countries.
Although the countries most in need of cybersecurity gains may experience early struggles in their digital journey, we found that they can eventually come to enjoy positive outcomes, including the innumerable benefits of greater ICT development.
We urge governments to consider policies that support continued growth in technology sophistication, access and security, and as a crucial first step, to adopt a national cybersecurity strategy. The conclusion of the paper features a set of policy recommendations, including the adoption of a national cybersecurity strategy.
I encourage you to read The Cybersecurity Risk Paradox. For a more in-depth look at the research, see my colleague Kevin Sullivan’s post here.