Companies are increasing their spending on cybersecurity tools, but are not confident that these investments are actually making their infrastructure more secure.
The study, conducted by the US-based RAND corporation and sponsored by Juniper Networks, combined research with a heuristic economic model to map the major factors and decisions that influence the cost of cyber-risk to organisations.
The resulting report titled The Defender's Dilemma: Charting a Course Toward Cybersecurity, is the second of a two part series that looks into the economics of cybersecurity.
It is based on interviews conducted between October 2013 and August 2014 with chief information security officers (CISOs) on the current and emerging threat landscape.
Juniper Networks CISO, Sherry Ryan, said the security industry had struggled to understand the dynamics that influence the true cost of security risks to business.
"What's clear is that in order for organizations to turn the table on attackers, they need to orient their thinking and investments toward managing risks in addition to threats," she said.
RAND's model projected the cost to businesses in managing cybersecurity risk will increase 38 per cent over the next ten years.
Security teams need a way to help better understand the economics of managing security risk, the range of variables implicated, and what investments should be made to more efficiently protect infrastructures.
Juniper Networks claims there are several factors that companies should consider as they evolve their security postures.
Many security tools have a half-life and lose value over time. The firm said attackers are constantly developing countermeasures to new detection systems, such as sandboxing. This dynamic ultimately drives up the amount companies must spend on security technologies to maintain the same level of protection.
Secondly, it is unclear whether the Internet of Things (IoT) will have a positive or negative impact on overall security costs. If companies struggle, IoT would increase losses due to cyber attacks by 30 per cent over ten years.
Investing in the workforce saves costs over time. Organisations with high skill levels are able to curb the costs of managing security risk by 19 per cent in the first year and 28 per cent by the tenth year when compared to other organisations with low diligence.
Unsurprisingly, there is also no one-size-fits-all approach, with the report stated that companies are possibly not employing the optimal economic strategy with investments.
The report stated that if the frequency of software vulnerabilities could be reduced by half, the overall cost of cybersecurity to companies would decrease by 25 per cent.