Cyber Security Explained Through Economics Models


The markets, the currencies, the exchange rates, the inflation, the economy, all can be explained through the SUPPLY and DEMAND curves.

More supply, price drops but it sells more; more demand though, price rises and it sells more too.

Blindly making/supplying more isn't smartest move. For people live in Melbourne and Sydney, think the over-supplied apartment market.

Obviously, more demand is the way to go - sell more@higher price.

Economy PQ.png


What's that got to do with cyber security (what have you been smoking)?

"Security is too slow", "security is the blocker", "security is @#@$%#" the list goes on and we security professionals are all too familiar with.


Because we know hackers don't give a duck about our "budget and time constraints", "interim solutions" and particularly love the "risk acceptances" with the risks inaccurately articulated.

So what do we do?

We do "Defence in depth", "least privilege", "segregation of duties", "approval workflows", the list goes on and we are also too familiar with.

All too often, we would just find ourselves in numerous Mexican standoff situations.

yao ming face.png

Do we have to?

May be not.

If we swap the supply and demand curves with Control & Process and Automation curves, we will land on the similar insight.

Instead of pushing the control curve, pushing the automation curve actually creates a win-win situation and brings the maturity to a new frontier. That is, given an adequate level of control & processes, it is automation that changes the game.


Want more?


Let's think how most of us do cloud security in AWS, Azure or GCP.

We create 3, 5, N-tier virtual networks with virtual NGFW, bootstrap N*security agents with all bells & whistles, and we are reluctant to accept any PaaS services that cannot be put in the virtual networks. Until the cloud looks just like our on-prem network, we then put the feet up and finally enjoy the coffee.

Nothing wrong with that. Only these should be given or merely the ticket to play, and we are far from putting the feet up.

The essence of real cloud security sits with IAM, Logging Monitoring Alerting and Auto-response.

Here comes similar diagrams and insights to back me up.

cloud sec.png


Hmm... not bad (stuff you've been smoking)!

Just to clarify, I am not suggesting to forget about your controls & process, perimeter and all that.

The assumption is that your organisation already has adequate maturities on controls, processes and network security 101 etc., and is constrained at the crossroad. That is, the BASE level on all diagrams. The next cyber security frontier is only realised through automation, IAM, logging monitoring alerting and auto-response.

If you are not at the "Base" yet, learn to walk steady first. At the same time, you will also want to uplift the "demand/red" curves, because they will prepare you for the a smooth walk-to-run transition and great velocity when you are ready to run.