[FDE] Amateurs study cryptography; professionals study economics

Thu May 15 12:57:23 MDT 2008

dan at geer.org wrote:
> Allen writes:
> -+-----------
>  | > "More than $1 billion is spent annually by the private sector on cyber
>  | > security," said Link, who is the United States representative on the
>  | > United Nations Economic Commission for Europe where he evaluates
>  | > innovation and competiveness policies for the European Union. "That
>  | > translates to $1,500 per employee. Many companies have no idea how to
>  | > employ the usefulness of cyber security tools. There are no benchmarks
>  | > for companies."
>  | 
>  | Even being generous and say it is $1.5 billion. That means there 
>  | are only 100,000 employees in the private sector!
>  | 
>  | I'd say the math is a bit whacked, wouldn't you?
>  | 
> 
> 
> Yeah, I saw that, too.  I'll bet/guess it is a British
> "billion" (10^12) and not an American "billion" (10^9).
> 
> Not that I believe the number in any case.  My own figures
> say it is more like $200 and, thus, Gene Spafford remains
> correct that we spend more per capita on coffee than infosec.

Since Link went to University of Richmond for his BS in math and 
his Ph.D. in economics from Tulane University, I would think he 
is American most likely and using American terminology.

In any case, the lack of proper qualifiers makes it suspect.  To 
do a bit of math, the approximate number of workers in the US 
private sector is 1.35*10^8. At ~$200/head that is $2.7*10^9.

I have no idea whether my anecdotal experience is accurate or 
not, and I'm not sure what all is included when Link says, 
"...cyber security," but based on my experience at on rather 
large HMO with 160,000 employees, I would guess ~$2000 per 
employee per year is closer to the mark, and is probably low 
given the figures I have seen for encryption, FSSO, VM, IdM, IAM, 
and measures taken around secure backup and storage of data.

But two factors must be considered, one is that it is health care 
so the requirements may well be higher than the median; and the 
other, offsetting this somewhat, is the notorious slowness to act 
and parsimony of the health care industry.

Clearly the common plumbing company is not likely to have all 
that great a burn rate for cyber security. Added to this is that 
most business in the US is "small" (if I recall correctly over 
85% of people work for small businesses - can't find a quick 
reference on this) so that your figure of ~$200 may be a more 
accurate reflection of money spent; however, given the large 
number of companies attempting to create and sell products that 
relate to cyber security I suspect it is too low.

In any case the figures given don't jibe and may be off by one or 
more orders of magnitude.

Best,

Allen