Exploring Investment in Cybersecurity

Information safety graphic design



Cybersecurity has a prominent place on national and international policy agendas. The digital dependence in developed countries has led to a situation where security vulnerabilities and security incidents potentially come accompanied by serious consequences. With this in mind, the Netherlands Ministry of Security and Justice commissioned RAND Europe to investigate the cybersecurity investments that organisations in critical infrastructure sectors make.


The main question that the project sought to address was: On what basis, how, and to what extent do private companies and public organisations in the critical infrastructure sectors invest in cybersecurity?

The report also aims to answer a number of other fundamental questions which lay the groundwork for the contours of the cybersecurity landscape, including how cybersecurity is defined and operationalised. Furthermore, the study explores the threats faced by organisations within critical infrastructure sectors, which concerns the underlying reasons for organisations to invest in cyber security.


The study involved a total of 27 interviews with representatives of organisations in 12 critical infrastructure sectors and drew a number of important conclusions that may contribute to the ongoing cybersecurity debate.

  • The fear of reputational damage is perceived as the biggest threat to private companies and public organisations, which makes security incidents the largest incentive to take security measures.
  • Legislation takes advantage of the dynamic between the fear of reputation damage and the incentive introduced by incidents through obligating organisations to report incidents. By making incidents public or sharing them with third parties, legislation enhances the pressure to prevent incidents.
  • This potentially has negative consequences for society because it overemphasises prevention and underemphasises detection and response. Risk acceptance – or the realisation that incidents will take place – is an essential ingredient to invest in the whole security lifecycle, from prevention to response, with detection as an important intermediary component.
  • The reporting of incidents and the exchange of information should primarily be used to learn how to detect incidents more quickly and to improve detective measures with the objective of reducing damage.