VIEW 4
The biggest insect ever...
What is the biggest insect in the world? The answer is a Malaysian stick insect (Phobaeticus serratipes), which is a foot long. Scary enough, but if you are a fan of sci-fi movies, you will be disappointed. There can never be such a thing as the Attack of the Giant Ants because an insect could never grow that large. Insects are constrained in size by the volume to surface area ratio. An insect has an exoskeleton not an endoskeleton. After a time, the size and weight of the exoskeleton is so big that the muscle inside cannot support it. Beyond a certain size the exoskeleton design fails because the volume to surface area ratio has hit a critical point. To get larger than this you need to switch to an endoskeleton design. Then you can become a blue whale.
Turning to cyber security, we can use the volume to surface area ratio to model cyber defenses. If we express the problem in mathematical terms, we can see that the surface area scales with the square, but the volume scales with the cube. That means we can draw a graph of the ratio between the two—the volume to surface area ratio—as an exponential curve. In our analogy the surface area represents the customer-facing parts of the organization—those who are on the front line talking to customers. The volume represents the administrative parts of the organization—functions such as HR, IT, Legal, Operations. So, another way to describe it might be the back-office-to-front-office ratio.
In a startup, everyone is a salesperson. For small companies, growing revenue is the number-one concern, so typically the surface-area-to-volume ratio is small—lots of salespeople, little administrative overhead. But as companies grow and mature, the ratio changes, and they undergo a paradigm shift from the exoskeleton to the endoskeleton model.
Administrative functions are brought in-house and there is a greater focus on governance, compliance, and, you guessed it, cyber security. Cyber security becomes a more prominent concern when a company begins to focus less on getting bigger and more on protecting what they already have.
We can then pose a different question: what type of company is the best target for ransomware? The answer is a medium-size company. A company with large enough revenues to pay a decent ransom, but small enough not to have invested significantly in cyber security. You can see from these illustrative charts that when we subtract B from A, we end up with a peak of susceptibility in the middle. These medium-size companies are the ideal target; big enough to be worthy of an attacker’s attention, but small enough that they may not be able to defend effectively against it.
