Password Security Economics and Risk Aversion

It is estimated that over $200 billion will be spent this year on worldwide cybersecurity tools; however, one of the most important forces driving the growth of this industry has not been fully explored via economic theory. Risk aversion, or the fact that individuals (and businesses) generally value the avoidance of loss more than they do obtaining a gain of equal value, is the primary reason consumers and enterprises continue to purchase password security solutions today (even when the threat of a possible future data breach seems to have very low odds).

Simply put, risk aversion is the rationale for the decision-making process of individuals when given two options that are equally attractive. Typically, theoretical justification for such decisions stems from the concept of "diminishing returns" or "diminishing marginal utility of wealth": The higher the financial loss possibility associated with an event, the more significantly that loss would affect one's utility compared to the equivalent fair economic benefits associated with that loss. An individual may spend £3/month on a password manager (understandably) if they believe there is a 5% chance of experiencing a serious data breach during the year; but due to the significantly greater loss that would be induced by the breach, it would make logical sense to incur the known cost of using a password manager rather than risk having to face the enormous consequences associated with losing sensitive information due to an unprotected account. Thus the situation of risk aversion is aligned with Expected Utility Theory.

The High Cost of Compromised Credentials

The Cost of Data Breaches, as compiled by IBM's 2023 Cost of a Data Breach report, has provided extensive evidence to support the earlier-mentioned assertions concerning risk aversion leading to the decision to incur the financial burden related to password security. The global average cost of a data breach stood at $4.45 million representing approximately a 15% increase in the preceeding three years. For small businesses, the potential costs associated with a data breach will represent a substantial portion of their yearly revenues. The 2021 Colonial Pipeline ransomware attack, which was publicized in the media, began with the theft of one password and serves as  an example of the increasing number of credential stuffing attacks against financial institutions — leading consumers to increase their subjective probabilities associated with data breach risk. As consumers perceive a greater level of risk, they also have an increased awareness of the potential severity of downside risk. This combination creates an upward shift in the demand for password security products and a shift in the relationship between the price of these products and the quantity sold.

Price Inelasticity and the Security Premium

Another unique characteristic that makes the password market economically interesting is the inelasticity of demand. Security products fall into the same category as insurance; once consumers adopt and become accustomed to using password management tools, they are unlikely to reduce their demand for the product — and they face additional costs for switching from one password management product to another. Multiple studies have found that if users have integrated their password management process into their daily workflow and are satisfied with the product in use, they are unlikely to stop using the product, even if the price increases. This price inelasticity also allows vendors to maintain strong pricing power.

For example, Proton Pass provides a free password generator — a common loss leader approach that reduces the friction of adoption and helps convert free users to paid subscribers. This pricing strategy mirrors the overall dynamics of the zero-pricing and cross-subsidisation economies within the digital market, whereby free tools facilitate user engagement and ultimately provide subsidy support for the premium tiers of access. Furthermore, this approach addresses one of the foremost behavioural barriers to adopting dedicated security products: the upfront cost of the tools, which causes financially constrained but risk-averse consumers to defer purchasing a password security product.

Likewise, the broader picture of the institutional-level password security market follows the aforementioned dynamics. As Gartner projected, global spending on information security solutions will exceed $215 billion due in part to regulatory pressures, but also due to an increased focus by board members and executives on treating cybersecurity as an enterprise risk management function, rather than as a traditional IT cost centre. Similarly, boards and Chief Financial Officers (CFOs) who once requested that each budget request include an ROI analysis are increasingly approving budget requests based on the expected utility and strategic loss avoidance — concepts that have been drawn from expected utility theory.

Therefore, the password security market is primarily shaped by the psychological processes of consumers. Consumers do not purchase password tools because it is fun or enjoyable to do so; rather, they purchase these tools to avoid violating their minimum acceptable risk threshold as it relates to the ever-increasing costs associated with data breaches.