Part 2 - Cost Asymmetry and Why Defence Is Structurally Disadvantaged

If intrusion is an economic activity, then cost is the variable that matters most. Not total cost, not theoretical cost, but marginal cost, the cost of the next attempt, the next control, the next failure. When analysed through this lens, the imbalance between attackers and defenders becomes impossible to ignore. Defence is not merely difficult. It is structurally disadvantaged.

This essay examines cost asymmetry as the central failure mode of security systems. It argues that insecurity persists not because defenders lack tools or knowledge, but because the economic geometry of defence and attack diverges in ways that no amount of optimisation can fully correct.

Fixed Cost versus Marginal Cost

Defensive security is dominated by fixed costs. Infrastructure must be designed, deployed, monitored, audited, documented, and maintained regardless of whether an attack occurs. These costs are incurred upfront and continuously. They are visible, budgeted, and politically accountable.

Attack cost, by contrast, is marginal. Each attempt carries a variable cost that can be abandoned when it rises. If probing a system becomes expensive, the attacker moves on. If it becomes cheap again, the attacker returns. There is no obligation to persist.

This asymmetry shapes behaviour. Defenders must justify every investment before an incident. Attackers justify investment only after success.

One Failure versus Total Coverage

The asymmetry deepens when success conditions are examined.

An attacker requires a single successful path. One misconfiguration. One exposed credential. One overlooked dependency. The defender must secure all paths, including those not yet imagined.

This creates an exponential disadvantage. As systems grow in complexity, the number of potential failure paths increases faster than the defender’s ability to reason about them. Even perfect execution does not eliminate unknown interactions.

From an economic perspective, the defender is attempting to eliminate all arbitrage opportunities. The attacker is searching for any arbitrage opportunity at all.

The outcome is predictable.

Reuse, Scale, and Learning Curves

Attackers benefit from reuse. Techniques developed against one system often transfer with minimal modification to others. Tooling improves through repeated application. Knowledge compounds.

Defenders experience the opposite. Each environment introduces unique constraints. Controls must be adapted. Exceptions proliferate. Lessons learned in one context rarely apply cleanly to another.

This creates divergent learning curves. Attackers amortise learning across targets. Defenders absorb learning costs repeatedly. Over time, this gap widens.

No defensive maturity model accounts for this properly, because maturity models assume linear improvement. The economics are non linear.

Why Perfect Defence Is an Illusion

Security discourse often implies that breaches are the result of incomplete implementation. If only controls were deployed correctly, if only best practices were followed rigorously, the system would be secure.

This belief collapses under cost analysis.

Perfect defence requires infinite coverage, infinite foresight, and infinite maintenance. Even if theoretically achievable, its cost exceeds any rational budget. Organisations therefore do what rational actors do. They optimise within constraints.

Attackers exploit the residual gap.

This is not negligence. It is economic reality.

Breaches as Price Discovery

Viewed economically, breaches function as price discovery mechanisms. They reveal where defences are mispriced, where controls are too expensive relative to the value they protect, or where risk has been externalised.

This reframing is uncomfortable because it strips breaches of moral drama. A breach is not a shock. It is information.

The frequency of breaches in certain sectors reflects not incompetence, but persistent misalignment between asset value and defensive investment. The market is signalling that the price is wrong.

Ignoring this signal does not make it go away.

Defensive Inflation and Diminishing Returns

As breaches accumulate, defensive spending increases. More tools are deployed. More layers are added. More processes are introduced. Each increment promises marginal improvement.

Yet defensive inflation sets in. Complexity rises faster than protection. Attack surfaces shift rather than shrink. The marginal cost of additional defence increases while marginal benefit declines.

This is the security equivalent of diminishing returns. Past a certain point, additional spending buys reassurance rather than resilience.

Attackers adapt once. Defenders pay forever.

Compliance as a Cost Multiplier

Compliance frameworks exacerbate asymmetry. They reward demonstrable control implementation rather than effective risk reduction. They privilege documentation over adaptability.

From an economic standpoint, compliance increases fixed cost without necessarily increasing attacker cost. It consumes defensive budget while leaving the underlying incentive structure unchanged.

This creates a paradox. Systems appear more secure on paper while remaining economically attractive targets in practice.

The market does not respond to documentation.

Summary

Cost asymmetry is not a secondary factor in security failure. It is the central one. Defence operates under fixed, escalating costs and total coverage requirements. Attack operates under marginal, optional costs and single success conditions.

This imbalance explains why insecurity persists even in well funded, competently managed systems. It also explains why purely technical solutions fail to close the gap.

Until security is understood as a problem of economic geometry rather than technical sufficiency, defenders will continue to lose ground while believing they are making progress.