Policy, Statistics, and Questions: Reflections on UK Cyber Security Disclosures

Empirical analysis within the field of information security economics is fraught with difficulty, primarily due to a lack of data. Over the last three years, the UK Government, through the Department for Business, Innovation & Skills (BIS), has taken a lead in the area of public disclosure on corporate cyber intrusions via their Information Security Breaches Survey. The recent development of the Cyber Essentials scheme by the same department presents a unique opportunity for reasonably correlated data to be analysed against public policy. We describe some initial steps in undertaking such an analysis by performing standard economics calculations on this data. Through the examination of three key questions that are central to the relationship between these documents, economic implications of the existing policy are highlighted against the reported threats. Somewhat inevitably, the results echo the well-worn ‘it depends’ answer to the question of cyber security expenditure need; nevertheless, in doing so, they do point out the dependencies. We aim to provide further insight into the method with a view to helping inform a range of stakeholders: policy-makers; those who make decisions with respect to data disclosures; and those looking to policy to help guide their investment in cyber security.