Cyber Defence. How Much? Skip to content

Cyber Defence. How Much?

  • Reading time 5 minutes
Minnesota shoplifting bust narrowly thwarts potential mass-shooting planned by suspect: ‘Deathtoamerikka’
image

Figure 1. well illustrates that which exercises the readership of iTWire in the most recent week considered. Cybersecurity and “AI” are aggregated as, in the articles published, there is nearly always a reference to the “cybersecurity” construct in “AI” articles. Articles on “AI” that explicitly do not have been excluded.

Why is cybersecurity (for this purpose, consider cybersecurity as the means to achieve cyber defence, the business function – the protection of company assets). worthy of such attention? Perhaps it is not, depending on your point of view: “Former Optus CEO lands top role at Australian Unity

Managing Cyber Defence

What is the appropriate response of an organisation to the risk of cyberattack? Simplistically categorised, possible approaches are as follows:

  1. Ignore or rationalise and tidy up the mess if the worst comes to the worst
  2. Do as little as possible given the regulatory framework in the jurisdictions of concern
  3. Proactively embed defences within the organisation at points of vulnerability with reference to the balance sheet of technological assets within the purview of the organisation.

The judgement to be made, is whether the cost of the “mitigation” e.g. insure, engineer of the risk, outweighs or not the cost of the clean-up e.g. provision for contingent expenditure on the balance sheet. Imperatives within the public sector and institutions maybe differently expressed but let us say are of the same general form.

Number 1 is a good one

Alan Greenspan was of the belief that this was an appropriate response to “irrational exuberance” in the course of the dot.com bubble. Did this end well, ditto the GFC? (“The Subprime Solution”, Professor Robert Shiller ISBN 978-0-691-15632-3).

Sometimes, the cost of mitigation will be so high within the strict if not reasonably interpreted parameters of the legislation e.g. EU:GDPR, that Number 2 will be out of reach even with a well-orchestrated Number 3 approach.

Number 2 will do

Consider the “Enforceable Undertaking” imposed by the OAIC against the Commonwealth Bank of Australia, a singular institution within the nation. It can be argued that compliance to the APA 1988 requires, as a pre-requisite, secure data handling. It is unclear whether the CBA was negligent or ignorant of the consequences of this assertion viewed against the position of the regulator. Was it cheaper to fix up the mess or to take a priori, as is clear in the language of the regulator, reasonable steps to protect the interests of the individual as manifested in their personal information.

Number 3 the place for me

Nothing can be taken for granted, let alone a presumption of 100% protection against cyberattack given the continuously evolving eco-system of actors within the domain.

How to spend the money? Even with the most diligent attention, existential threats are likely to emerge from the set of low-frequency, high impact events that are often (Nicholas Taleb’s “The Black Swan”) unconsidered or discounted.

Emerging constructs, such as “zero-trust”, “data-centric protection” and “AI” informed protections may offer the Chief Information Security Officer (“CISO”) an expanded portfolio of focused, granular and thus more efficient means of defence than previously available.

What do the Signals say?

Australian GDP in 2025 is approximately AUD2.7 trillion per annum in the year 2024 to 2025.

The Australian Signals Directorate (“ASD”) produces an annual commentary report on its activities; from this report 2024-2025:

“The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) responded to over 1,200 cybersecurity incidents – an 11% increase from last year. In FY2024–25, ASD’s ACSC received over 84,700 cybercrime reports – an average of one report every 6 minutes. For businesses, the average self-reported cost of cybercrime per report was up 50% overall ($80,850).”

A calculation from these reports suggests that the cost of cybercrime during the year was 84.700 * AUD80,850 = AUD6.8 billion, so say circa 0.26 percent of GDP.

AUD6.8 billion is quite a lot of money but not a particularly significant percentage of GDP. It may not be sufficient to cause a noticeable reduction in productivity growth. Paradoxically, the attention required for the protection of data assets may deliver value, tangible or unseen within the profile of information technology and other business costs.

Cyber Defence Budgets in Australia – What is known?

An estimate for the investment on cybersecurity in the Australian economy is AUD5 billion per annum, sourced from AustCyber. It has been asserted without a statement of evidence that this amount needs to increase to AUD10 billion.

Australian business needs to find AUD10 billion per annum to meet Cyberattacks“.

The key question raised appears to be whether the known or unknown unknowns of “AI” technology adoption will drive increased cyberdefence expenditure in entities outside those focused on the development and deployment of information technology itself.

The total cost to the Australian economy of cyberdefence is therefore, at best an estimate, around AUD10billion (not including the suggested increase referenced above) – cost of crime remediation plus investment. This is circa 0.45 percent of Australian GDP in 2025. A rough-cut estimate is that cybersecurity constitutes 4-5 percent of Australian I.T. spending. This proportion might change given the current wave of data centre infrastructure spending or not.

There are a number of questions left unanswered by the ASD report that might assist determining the most effective future path of “I and E” on cyber defences:

  1. What is the existing “I and E” in cyberdefences in the economy by sector? How effective is this cost in the prevention of remedial expense in these sectors?
  2. What improvement – reduction in the cost of reported cybercrime – could be expected by increased “I and E” in cyberdefences? What is the relationship between these two variables? How best to deploy further investment? i.e. idiomatically, Any low-hanging fruit, best-bang-for-the-buck.
  3. How can “I and E” be streamlined to meet current threats outside a provision for significant increases in the destructive efficiency of cyberattacks? How are these two concerns inter-woven?
  4. Who is doing Number 1, Number 2 and Number 3? In which sectors of the economy? In which sectors of the economy is cyberdefence a significant productivity friction?

In Conclusion

Cybersecurity appears to be a focus of strong interest in the iTWire community. It is possible to estimate the current overall “I and E” of cybersecurity and the cost of cyberattacks in the Australian economy with reasonable confidence but more analysis is required to determine the efficiacy of current expenditure and the most effective ways in which money can be spend in the future in the performance of cyberdefence.

The picture is complicated by the arrival of emerging technology categories of cybersecurity tools and “AI” technology in both sides of the conflict.

In our next article, an approach is considered that can deliver an understanding of the efficacy of cyberdefence “I and E”, assist in the discussion of the domain across non-IT management dsiciplines and enable the informed deployment of new technology and methods in the protection of productive organisational assets.

Further reading:

Australian Signals Directorate Cyber Security Report 2024-2025

ABS GDP Statistics September Quarter 2025

ABS National Accounts 2024-2025 Key tables

CPG 235 Prudential Practice Guide, Managing Data Risk

http://itwire.com/opinion-and-analysis/cyber-defence-how-much.html