VIEW 24
The tragedy of the commons
The traditional consoling advice to the broken-hearted is, “Don’t worry, there are plenty more fish in the sea.” Sadly, this is no longer true. A GFI report13 published in 2021 found that half of global fish stocks have been depleted to less than 40% of previous levels, with bluefin tuna and cod reduced to only 10% of original numbers. This has happened despite 30 years of regular warnings about acute overfishing by the UN and other NGOs.
This phenomenon is known by economists as a “tragedy of the commons.” Individuals are acting in self-interest to deplete a common resource, even though it is in no one’s long-term interest for this to happen.
The logic working here is the economic concept of marginal utility. Picture a green common in the center of a medieval village, where villagers have the right to graze their cows.

Gradually the number of cattle increase beyond the amount the grass can support. Each villager is faced with a choice: should they continue to put cows on the pasture?
At this point the marginal utility equation comes into effect. An individual villager gains all the benefits of putting a cow on the common, but the negative effects are shared among all: they get all the upside, others share the downside. Therefore, the logical course is to keep putting cows on the pasture until it is destroyed. Overfishing, rainforest destruction, pollution, water shortages, and global warming are all examples of tragedies of the commons.
We can apply this economic concept to cyber security too. Why do users not follow security policy and continue to do hazardous things?
Because the benefits of not following the rules accrue to the individual, but the cost is spread out over the group as a whole.
So, the real question is, how do you get out of a tragedy of the commons situation?
Carrot vs stick There are two ways. You can use the stick strategy, which would be a benefit to the group but a cost to the individual, or a carrot strategy where there is a benefit to both. Most security thinking up until now has been of the stick strategy: “You must do this, or else lose your job.”
But there’s a growing appreciation that a carrot strategy works much better. If you can come up with something which is a benefit both to the group and the individual, those rules are much more likely to be followed.
This is an example where the HR department could make a significant contribution to cyber security by offering, let’s say, an extra day’s holiday or an extra financial bonus of some sort for people who follow the rules properly or take the training. At AXIS we offer cyber security tools as part of our employee benefits package. Carrot strategies like these are a small price to pay for a big improvement in resilience.