Cybersecurity is a topic a lot of people do not really like. Most of us know there are risks. But many people seem to actively avoid thinking about those risks when going online. And we can’t blame them.

The problem isn’t that there is not enough information available. Every day, we are bombarded with news about the dangers lurking on the Internet. The idea is that eventually, all this news will instill at least some sense of awareness, stimulating people to take measures to protect themselves. Forewarned is forearmed, right?

But that is not the message the average reader may take home.

Not a fun read

For many people, reading about these issues may be a depressing experience. Articles on cybersecurity typically tell readers that everybody is after them, their data and their money. The reader will learn about the professional organizations behind these attacks. They will discover that cyber-attacks and malware are increasing in complexity each year. So the reader’s antivirus software or firewall is not going to stop them. They will hear of some chilling examples of hacked cars and pacemakers. They will get an idea of the consequences these attacks may have on people’s personal lives and privacy. They will understand that everybody is a victim, or will become one in the near future.

Bottom line: things are terrible, and there is not much that you, as an individual, can do about it.

These articles often leave readers scared and hopeless at the same time. Not an empowering message at all. No wonder people are tuning out.

Cybersecurity: A bitter pill?

This seems to present cybersecurity advocates with a dilemma. Getting the message across is hard when people do not like to hear it. But depressing or not, if matters really are this bad, sugarcoating things also doesn’t sound like a good idea.

But is this dilemma a real dilemma? Is the situation really that bad? Or is there a different story to tell?

There is more behind these news messages than just the journalist’s taste for sensational stories. Often, these articles are based on expert opinions and data from cybersecurity companies. These companies keep track of the amount of cyber-attacks and publish them in detailed reports. The numbers in these reports are clear. There are millions of new cyber-attacks launched each day. According to some, the damage caused by these attacks costs the worldwide economy 300 billion US dollar a year. And things are getting worse.

But this might not be the whole story.

The Untold Story

A report by The Global Commission on Internet Governance (a conglomerate of two leading think tanks) sheds a whole different light on things.

As this report points out, the incidence of cyber-attacks is often expressed in absolute numbers. These numbers show that the amount of attacks is increasing. What these numbers do not show, is that the size of the Internet is growing also. And it is growing fast. If you factor that into the equation, the picture becomes radically different.

Think of a big city. Maybe the crime numbers in this city have doubled. But if the number of inhabitants increased by a tenfold, that means the city actually got safer. In the old situation, you would have ten crimes for a city with thousand inhabitants. That means that the inhabitants had a 1% chance of being victimized by a violent crime. In the new situation, there would be twenty crimes in a city of ten thousand. That would mean that that chance would drop to a chance of 0.2%. Not bad.

The same seems to be the case with the Internet. The World Wide Web is a growing city, attracting many new citizens each day. It is growing faster than its crime rates. It still is more of a jungle than a walk in the park. But the report shows that in many aspects, the situation has actually been improving over the last few years.

Of course, this report has its shortcomings. It mainly focuses on cyber-attacks. It does not discuss the mass invasion of our privacy by governments and companies. And that is at least as scary as all those hacker gangs. Also, since many cyber-attacks go undetected, the author admits that his data is incomplete at best.

Despite these shortcomings, the report does leave room for some optimism. Criminals may be quick to adapt to new technological developments. But when law enforcement and security companies catch up on them, it seems they often manage to reverse the trend. The author points out that it is difficult to say how things would have been without these efforts. But still, these findings give us reason to believe that these measures have contributed to making the internet a safer place.

Getting real about cybersecurity

So, cybersecurity advocates can tell a different story, without doing injustice to the facts. There are real improvements and successes, efforts do pay off, things actually get safer.

The ironic thing is that these improvements may actually be hindered by the usual, alarmist story cybersecurity experts tell. Often, the individual user still is the weak spot in many systems. There is a lot of room for improvement here. But if people think the situation is hopeless anyway, they are unlikely to take any action to change their online behavior. In psychology, this phenomenon is referred to as learned helplessness.

So, not only can security advocates tell a different story, they may also need to.

One of the recommendations the report makes is that security companies should no longer present cybercrime data in absolute numbers, portraying the situation as worse than it actually is. Fear is counterproductive. A more realistic perception of cyber risks may encourage people to take their online security into their own hands again.