WB: Important for Azerbaijan to measure economic returns on cybersecurity investments - INTERVIEW

Azerbaijan is actively developing the digital economy and creating national training centers in the field of cybersecurity. However, as World Bank experts note, without systematic accounting of cyber incidents, it is impossible to assess the effectiveness of such steps.

In an interview with Report, Estefania Vergara Cobos, economist (digitalization and cybersecurity) at the World Bank, explained why countries like Azerbaijan need to build a reliable attack monitoring system, and how the indirect consequences of cyber incidents affect investor confidence and economic growth.

Report presents the interview:

- According to your research, cyber incidents annually reduce the economic growth of developing countries by 0.2-0.6%. What economic model should countries use to calculate the optimal level of investment in cybersecurity compared to potential GDP losses?

- First of all, a system for measuring cyber incidents is necessary. It's very important to record the scale of their spread. Currently, there is a lack of incident data in developing countries. It is estimated that more than 40% of cyber incidents remain unregistered. Therefore, the approach should include secure collection of data on cyber incidents, tracking them, and assessing direct and indirect economic costs. This means measuring such consequences as changes in investor behavior after an incident, decreased consumer confidence in the economy, as well as disruptions in supply chains.

- Your research shows that the largest number of attacks (36%) target the public sector. How should governments economically prioritize cybersecurity investments among critical industries?

- In developing countries, government administration is indeed most frequently attacked. However, in 2024, we have also seen serious incidents in critical infrastructure: energy, telecommunications, and the financial sector. It is important for countries to clearly understand which industries are critically important.

To date, only 60% of countries have officially classified them. Priority should be given to sectors on which the economy and development are most dependent, as well as those where incidents can cause the greatest consequences, considering their financial and social interconnection. Once vulnerabilities are understood, the most effective cybersecurity solutions can be developed.

- Based on the analysis of thousands of registered cyber incidents over the past decade, what are the main global trends and how do the economic consequences differ for developed and developing countries?

- We observe an annual increase in the number of registered cyber incidents at a level of 21% over the past decade. Particularly rapid growth is seen in Latin America, the Caribbean, and Sub-Saharan African countries, as well as in upper-middle-income countries. Cyber incidents are often linked to socio-economic and political events, such as the Russian-Ukrainian war. In 2024, the growth in the number of incidents in upper-middle-income countries was about 37%. In developing countries, the main target of attacks is government administration, while in developed countries, attacks are distributed more evenly: healthcare, finance, education. Moreover, in developing countries, a statistically significant negative correlation between GDP and the number of cyber incidents has been identified, which is not present in high-income countries.

- In your book, cybersecurity is viewed as an economic necessity, not just as a cost item. How do strong cyber defense systems stimulate economic competitiveness and GDP growth in developing countries?

- Research shows: sectors most vulnerable to cyber incidents grow faster in countries that invest more in cybersecurity. This turns cyber defense into a competitive advantage factor, especially in digital industries such as telecommunications and energy. Thus, cybersecurity is not only a means of reducing costs but also a source of additional economic growth.

- What models and approaches to cyber cooperation at the regional level should developing countries apply? How can joint investments in cyber resilience bring mutual benefits?

- Cyberspace depends on the strength of its weakest link, so international cooperation is extremely important. But the key is implementing targeted and effective solutions. For example, joint projects to protect energy, telecommunications, and the financial sector. We can learn a lot from high-income countries where, for instance, the financial sector shows high resilience. It's also useful to exchange our own experiences and practices.

- How can countries like Azerbaijan evaluate the economic impact of establishing national cybersecurity training centers and developing internal expertise?

- To evaluate the effectiveness of solutions, reliable data collection on cyber incidents is essential, as over 40% of them remain unreported, which in itself creates a vulnerability. It's essential to systematically track both direct costs (e.g., ransom payments, production disruptions) and indirect costs (decreased consumer confidence, changes in investor behavior). Moreover, indirect effects can take up to three years to manifest. Without measurement, it's impossible to understand the effectiveness of our measures.

- What are the main market failures preventing the private sector in developing countries from investing in cybersecurity? What policy measures can governments implement?

- The main factor is third-party risks: 90% of companies work with suppliers who have themselves been attacked. The return on investment in cybersecurity is unclear, so it is perceived as a cost rather than an investment. Furthermore, 60% of companies pass on the losses from attacks to consumers.

Incentive distortions exist: companies are reluctant to report incidents, which reduces overall resilience. Finally, systemic risks are often overlooked: for example, 39% of African countries have below-average cybersecurity commitments. The main problem is information asymmetry: consumers are unable to assess the quality of solutions offered by providers. This requires increased awareness and transparency.

- What methods and metrics do you recommend developing countries, including Azerbaijan, use to assess the economic impact of cyber incidents?

- New research is underway both at the micro level-assessing direct and indirect costs for victims of incidents-and at the macro level-analyzing the impact channels on the economy as a whole. However, effective solutions require targeted research: at the country, industry, and individual firm levels. Tools such as surveys, monitoring the spread of attacks, and modeling their economic impacts are useful for this purpose.