VIEW 17
The Laffer curve
A 14th-century Islamic scholar called Ibn Khaldun observed in his book The Muqaddimah that increasing taxes encouraged merchants to do things to avoid them. This early insight struck a chord with supply-side economists, who emerged in response to the stagflation of the late 1970s, calling for lower taxes, deregulation, and free trade.
The foremost amongst these was Arthur Laffer, who came to prominence in the Reagan administration. He is best remembered for putting forward the Laffer curve, an extension of Ibn Khaldun’s ideas about the relationship between rates of taxation and the resulting levels of a government’s tax revenue. He demonstrated that there’s a maximal tax revenue that can be extracted from the citizenship.
His point is illustrated in the diagram on the right. In the first column the ascending green line is the tax rate, which is increasing from, let’s say, 30% to 40% to 50%.
As the tax rate increases, the number of people paying tax decreases, as shown by the blue line. This is because it becomes worthwhile for people to invest in tax avoidance schemes or maybe move offshore. So, when you combine the purple and blue lines together, there’s a peak point at which, even though the tax rate is increasing, the amount of revenue collected is actually going down. That is the maximal tax revenue point at the top of the Laffer curve.
Now, when we read across into cyber security, there’s a similar effect at work. Picture increasingly strict security controls, represented again by the purple line going up. This is the “tightness” of the straitjacket into which users are being forced. But as that constriction gets tighter and tighter, the number of compliant users goes down. They invest time in finding workarounds that will make their lives and jobs easier.
So, the blue curve, the number of compliant users, goes down as the strictures and compliance rules increase. This implies that there’s a maximal point to cyber security controls too.
It is well known that 100% security is impossible. Every attack requires defending, but the attacker only has to get through once in order to cause harm. So, the odds are stacked against the defender.
However, this diagram would suggest that you could struggle to get beyond 70% because of that maximal security peak. After a certain point, despite increasing security controls, resilience decreases because of the Laffer curve effect.
The conclusion is that IT security controls can only take you so far when it comes to reducing cyber risk. After that maximal security point, other corporate departments, such as HR for training, or insurance policies, will complement the company’s cyber defenses. The Laffer curve demonstrates that internet security is not just an IT problem.
