← All Insights
Working Paper Technology & Transformation December 2025 11 min read

Cybersecurity Collective Action and Critical Infrastructure Protection

The free-rider problem in cybersecurity: why individually rational security investment produces systemically inadequate protection — and the institutional mechanisms needed to close the gap

Cybersecurity collective action

Executive Summary

Global cybercrime costs are projected to reach $10.5 trillion annually by 2025, according to Cybersecurity Ventures — surpassing the GDP of every country except the United States and China. Despite rapidly escalating threat levels, cybersecurity investment remains systematically insufficient. The World Economic Forum's Global Cybersecurity Outlook 2025 reports that 90% of cyber leaders believe the current cyber risk ecosystem is "significantly inequitable," with small and medium enterprises, developing economies, and critical infrastructure operators bearing disproportionate risk relative to their defensive capabilities.

This working paper analyses cybersecurity through the lens of collective action theory and public goods economics. We argue that cybersecurity exhibits the characteristics of a public good with significant positive externalities: one organisation's security investment benefits all interconnected entities by reducing the attack surface available to threat actors. However, because these benefits are non-excludable (all connected entities benefit) and non-rival (one organisation's security does not diminish another's), the classic free-rider problem produces systematic underinvestment. Furthermore, the interconnected nature of digital infrastructure means that overall system security is often determined by the weakest link — the least-secured component in a connected network — creating a "weakest-link" public goods game where the incentives for strong security investment are further undermined.

We estimate that the global cybersecurity investment gap — the difference between actual spending and the socially optimal level — stands at approximately $150–200 billion annually. Closing this gap requires institutional mechanisms that internalise cybersecurity externalities, address the weakest-link problem, and facilitate international cooperation in an inherently borderless threat environment.

Cybersecurity as a Public Good: The Economic Framework

The economic theory of public goods, formalised by Samuelson (1954) and extended by Olson (1965) in his analysis of collective action, provides the foundational framework for understanding cybersecurity underinvestment. A good is "public" when it is non-excludable (individuals cannot be prevented from benefiting) and non-rival (one person's consumption does not reduce availability to others). Pure cybersecurity — the state of being secure from cyber threats — exhibits both properties within interconnected networks.

Consider a supply chain network of N firms. When Firm A invests in cybersecurity, it reduces the probability that A becomes a vector for attacks on Firms B, C, and D through shared network connections, software dependencies, or data exchanges. The security benefits flow to all connected firms regardless of their own investment. This positive externality means that the private return to cybersecurity investment (benefits to Firm A) is less than the social return (benefits to all connected firms), leading Firm A to invest below the socially optimal level.

The underinvestment problem is quantitatively significant. IBM's Cost of a Data Breach Report 2025 estimates the average cost of a data breach at $4.88 million, with supply chain attacks costing 14% more than average. However, a substantial portion of breach costs are borne by parties other than the breached organisation: customers whose data is compromised, business partners whose operations are disrupted, and the broader digital ecosystem through reduced trust. Anderson and Moore (2006) estimate that these external costs represent 40–60% of total breach impact — costs that the breached organisation does not internalise in its security investment decisions.

The Weakest-Link Problem: System Security and Its Determinants

Cybersecurity differs from many public goods in a crucial respect: the security of an interconnected system is often determined not by the average or total security investment but by the minimum — the weakest link. Hirshleifer (1983) characterised this as a "weakest-link" public goods game, where the payoff to all players is determined by the minimum contribution.

The weakest-link dynamic is pervasive in cybersecurity. The 2020 SolarWinds attack exploited a single compromised software update mechanism to infiltrate over 18,000 organisations, including US federal agencies and Fortune 500 companies. The 2021 Colonial Pipeline ransomware attack, which disrupted fuel supply across the US East Coast, exploited a single compromised VPN credential. The 2023 MOVEit vulnerability affected over 2,600 organisations through a single file transfer application. In each case, the security of the entire system was determined by its weakest component.

The weakest-link game produces distinctive equilibrium properties. Unlike "best-shot" public goods (where only the highest contributor matters), weakest-link games have multiple Nash equilibria — any symmetric contribution level is an equilibrium. However, risk aversion and uncertainty about others' contribution levels tend to push the equilibrium toward lower contribution levels: if any player might contribute less, the returns to investing more are diminished. This "coordination failure" is compounded in cybersecurity by the difficulty of observing others' actual security posture — a severe information asymmetry.

International Dimensions: Cyber Risk as a Transnational Challenge

The borderless nature of cyber threats adds a geopolitical dimension to the collective action problem. Cyber threat actors — state-sponsored groups, criminal enterprises, and hacktivists — operate across jurisdictions, exploiting the gap between the global nature of cyberspace and the territorial nature of law enforcement and regulatory authority. ENISA's Threat Landscape 2025 identifies state-sponsored actors as responsible for approximately 25% of significant cyber incidents, with criminal ransomware groups accounting for a further 35%.

International cooperation on cybersecurity faces the additional challenge that some states simultaneously seek to defend their own infrastructure while developing offensive cyber capabilities — a dual-use dynamic that complicates cooperative frameworks. The UN Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG) on cybersecurity have established norms of responsible state behaviour in cyberspace, but these norms lack enforcement mechanisms. The Budapest Convention on Cybercrime, while providing a framework for international law enforcement cooperation, has been ratified by only 68 states and faces criticism for insufficient participation by major cyber powers.

The asymmetry between offence and defence in cyberspace further compounds the collective action problem. The World Economic Forum estimates that the global ratio of cybersecurity spending to cybercrime losses is approximately 1:6 — defenders spend roughly $1 for every $6 of damage inflicted. This asymmetry means that even substantial increases in defensive investment may be insufficient without complementary measures addressing the offence-defence balance, including international norms, deterrence mechanisms, and disruption of criminal infrastructure.

Market Failures and Institutional Responses

Several market failures beyond the public goods problem contribute to cybersecurity underinvestment:

Information asymmetry: Organisations cannot accurately assess the cybersecurity posture of their suppliers, partners, and service providers. This prevents market mechanisms from rewarding good security practices or penalising poor ones. The cyber insurance market, which theoretically could price and incentivise security, remains immature: Swiss Re estimates that only 5–10% of global cyber losses are insured, and insurers face severe adverse selection and moral hazard problems due to information asymmetry.

Negative externalities of insecurity: Compromised systems impose costs on others through botnet participation, spam relay, data breach cascading, and supply chain attack propagation. These negative externalities are not priced in market transactions, leading to socially excessive risk-taking.

Coordination failures in vulnerability disclosure: The socially optimal policy for newly discovered vulnerabilities — immediate disclosure enabling patching — conflicts with the private incentives of vulnerability discoverers (who may profit from exploitation or sale) and affected vendors (who prefer delayed disclosure to manage reputational impact).

Institutional responses to these market failures are emerging but remain insufficient. Mandatory breach notification laws (now enacted in over 100 jurisdictions) address information asymmetry by forcing disclosure of security failures. Sector-specific cybersecurity regulations — the EU's NIS2 Directive, the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), and similar frameworks — establish minimum security standards for critical infrastructure operators. However, these regulations are jurisdictionally fragmented, creating compliance complexity and gaps in coverage.

Policy Recommendations: Mechanisms for Collective Cybersecurity

Drawing on public goods theory, weakest-link game analysis, and international cooperation theory, we propose five complementary policy mechanisms:

1. Cybersecurity Liability Reform. Current legal frameworks generally do not hold software vendors and service providers liable for security vulnerabilities in their products. Introducing graduated liability — proportional to the severity of known, unpatched vulnerabilities — would internalise the externalities of insecure software. The EU's Cyber Resilience Act (2024) takes initial steps in this direction by establishing security requirements for products with digital elements.

2. International Cyber Capacity Building Fund. A multilateral fund, modelled on the Global Fund to Fight AIDS, Tuberculosis and Malaria, providing technical assistance and financing for cybersecurity capacity building in developing economies and small enterprises. This directly addresses the weakest-link problem by raising the security floor. We estimate that $10–15 billion annually in capacity building could reduce global cyber losses by $50–75 billion — a 4–5x return on investment.

3. Mandatory Cybersecurity Standards for Critical Infrastructure. Harmonised, binding cybersecurity standards for critical infrastructure operators across jurisdictions, building on the NIST Cybersecurity Framework, IEC 62443, and ISO 27001. Cross-border mutual recognition of compliance assessments would reduce regulatory fragmentation while maintaining security baselines.

4. Threat Intelligence Sharing Platforms. Government-facilitated platforms for sharing threat intelligence across sectors and borders, overcoming the collective action problem in information sharing. Existing initiatives — the US CISA's Joint Cyber Defense Collaborative, the EU's CSIRT Network, and the Five Eyes' cyber collaboration — demonstrate the value but need expansion to include more jurisdictions and private sector participants.

5. Cyber Insurance Market Development. Regulatory frameworks supporting the maturation of cyber insurance markets — including standardised risk assessment methodologies, actuarial data sharing, and government backstop mechanisms for catastrophic cyber events — would leverage market mechanisms to incentivise security investment while providing financial resilience against residual risk.

Implications for GDEF's Technology & Transformation Working Group

Cybersecurity is the foundational enabler — and potential disabler — of the digital economy. The collective action challenges identified in this paper require multilateral institutional solutions that match the global scale of cyber threats. GDEF's Technology & Transformation Working Group will develop a Global Cybersecurity Cooperation Framework, building on the mechanisms proposed here, for presentation at the 2026 Annual Summit.

References & Sources

  1. World Economic Forum, Global Cybersecurity Outlook 2025. WEF Centre for Cybersecurity. weforum.org/publications
  2. IBM Security, Cost of a Data Breach Report 2025. ibm.com/reports/data-breach
  3. ENISA, Threat Landscape 2025. European Union Agency for Cybersecurity. enisa.europa.eu
  4. Cybersecurity Ventures, 2025 Official Cybercrime Report. cybersecurityventures.com
  5. Samuelson, P.A. (1954). "The Pure Theory of Public Expenditure." Review of Economics and Statistics, 36(4), 387–389. doi.org/10.2307/1925895
  6. Olson, M. (1965). The Logic of Collective Action: Public Goods and the Theory of Groups. Harvard University Press.
  7. Anderson, R. and Moore, T. (2006). "The Economics of Information Security." Science, 314(5799), 610–613. doi.org/10.1126/science.1130992
  8. Hirshleifer, J. (1983). "From Weakest-Link to Best-Shot: The Voluntary Provision of Public Goods." Public Choice, 41(3), 371–386. doi.org/10.1007/BF00141070
  9. European Parliament, NIS2 Directive (EU) 2022/2555. eur-lex.europa.eu
  10. Swiss Re Institute, Cyber Insurance: Growth and Challenges. Sigma Report, 2025. swissre.com/institute

This working paper reflects the analysis of the GDEF Technology & Transformation Working Group. All data cited are from publicly available sources including the World Economic Forum, IBM, ENISA, and Cybersecurity Ventures. The views expressed are those of the authors and do not necessarily represent the positions of GDEF member organisations.

← Back to all insights