Companies are spending increasing amounts on cybersecurity tools, but aren't convinced their data is truly secure and many chief information security officers believe that attackers are gaining on their defenses, according to a new RAND Corporation study.

Charting the future of cybersecurity is difficult because so much is shrouded in secrecy, no one is entirely certain of all the methods malicious hackers use to infiltrate systems and businesses do not want to disclose their safety measures, according to the report.

While worldwide spending on cybersecurity is close to $70 billion a year and growing at 10 percent to 15 percent annually, many chief information security officers believe that hackers may gain the upper hand two to five years from now, requiring a continual cycle of development and implementation of stronger and more innovative defensive measures.

"Despite the pessimism in the field, we found that companies are paying a lot more attention to cybersecurity than they were even five years ago," said Martin Libicki, co-lead author of the study and senior management scientist at RAND, a nonprofit research organization.

"Companies that didn't even have a chief information security officer five years ago have one now, and CEOs are more likely to listen to them. Core software is improving and new cybersecurity products continue to appear, which is likely to make a hacker's job more difficult and more expensive."

The RAND study draws on interviews with 18 chief information security officers and details the burgeoning world of cybersecurity products. It also reviews the relationship between software quality and the processes used to discover software vulnerabilities. Insights from these elements were used to develop a model that can shed light on the relationship between organizational choices and the cost of confronting cyberattacks.

"Companies know what they spend on cybersecurity, but quantifying what they save by preventing malicious attacks is much harder to tally," said Lillian Ablon, co-lead author of the report and a researcher at RAND. "In addition, malicious hackers can be extremely sophisticated, so costly measures to improve security beget countermeasures from hackers.

"Cybersecurity is a continual cycle of trying to eliminate weaknesses and out-think an attacker. Currently, the best that defenders can do is to make it expensive for the attackers in terms of money, time, resources and research."

Libicki and Ablon say several of the study's findings surprised them. They found that it was the effect of a cyberattack on reputation - rather than direct costs - that worried most chief information security officers. It matters less what actual data is affected than the fact that any data is put at risk.

However, the process of estimating those losses is not particularly comprehensive, and the ability to understand and articulate an organization's risk from network penetrations in a standard and consistent manner does not exist - and may not exist for the foreseeable future.

RAND created a framework that portrays the struggle of organizations to minimize the cost arising from insecurity in cyberspace over a 10-year period. Those costs include the losses from cyberattack, the direct costs of training users, and the direct cost of buying and using cyber safety tools.

Additional costs also must be factored in, including the indirect costs associated with restrictions on employees using their personal devices on company networks and the indirect costs of air-gapping - ensuring a computer network is physically isolated from unsecure networks. This is particularly true for sensitive sub-networks.

The RAND study includes recommendations for both organizations and policymakers. Organizations need to determine what needs to be protected and how badly, including what machines are on a company's network, what applications are running and what privileges have been established. Employees' desire to bring their own devices and connect them to the company network also can increase vulnerabilities.

Libicki said most of the chief information security officers who were interviewed were not interested in government efforts to improve cybersecurity. However, the RAND researchers believe government could play a useful role. For example, a government guide outlining how systems fail - similar to guides for aviation and medical fields - could help build a body of knowledge to help educate companies with the goal of developing higher levels of cybersecurity.

The study, "The Defender's Dilemma: Charting a Course Toward Cybersecurity," can be found here