It's no secret that cyber security has become a major concern for individuals and businesses alike in recent years. With high-profile data breaches making headlines on a regular basis, the increasing cost of living, and growing interest rates, it's easy to understand why people and organisations are feeling uneasy about the state of cyber security.  

The University of New South Wales estimates cybercrime costs the Australian economy $42 billion a year (UNSW Institute for Cyber Security, 2021). Further, the government has increased potential fines under the Privacy Act reform from $2 million to $50 million or greater as part of their plans to make Australia “the most cyber secure country” by 2030 (Crozier, 2022). 

However, I have to say I'm sceptical about the effectiveness of using the threat of punishment to drive better cyber security behaviours. The cost of cybercrime is undeniable, but apparently not enough to fuel the level of investment and community awareness needed to combat the growing prevalence of cyber threats – we only need to look at the Optus and Medibank breaches of last year to see that.  This has been going on for many years and is only getting worse, not better. 

In my opinion, the best way to get people and companies to prioritise cyber security is through positive reinforcement and incentives, rather than a “stick”, the size of it, or the fear of punishment. Especially if there is limited evidence that Privacy Act “stick” has been used in the past. 

The UN argues that incentives for voluntary action, such as tax exemptions, partnerships and the promotion of soft laws like standards and guidelines, can effectively enhance regulatory efforts when it comes to corporate social responsibility (Peters & Röß, 2010). In fact, the report goes on to posit that often these incentives can empower businesses to use their innovative resources to their full capacity, helping them perform better against CSR objectives than the law dictates. 

We can see this in effect with the Federal Government’s R&D Tax Offset, which has been helping position Australia as a suitable investment destination for R&D since 2000 – encouraging growth in high skill jobs and our economy (Kipper & Demetriou, 2020; OECD, 2021). Investment from the Australian Government has grown from $650 million in 2000 to $2.17 billion in 2019, showing an increasing uptake of the incentive over time (OECD, 2021).  

Developing an incentive for better cyber security investment 


So, what if there was a “carrot” or incentive to encourage better cyber resilience or hygiene for companies protecting the sensitive data of Australian citizens? The 2022-23 budget included a suitable solution for SME’s, but it’s limited to companies with less than $50 million in annual revenue and capped at claiming a tax rebate of investment on cybersecurity technology and training of only $100,000 per tax period. That means it covers a 0.2% investment from a company with a revenue of $50 million – the very business this scheme would be targeted toward.  

According to Gartner’s IT industry key metrics 2019 (Stegman et al., 2018), three key benchmarks for cyber security spending emerged after surveying companies from multiple sectors: 

  • On average, companies spend 6% of their IT budget on security.  
  • Security spending per employee averages out to $1,178. 
  • Companies spend $2.84 per every $1,000 in revenue. 

Based on these numbers, a $50m Rev company is investing approximately 0.3% of annual revenue on cyber security.  Surely given the relatively low cyber resilience of most companies today, something more like 1-2% is required for most companies to ‘catch up’ to the level of cyber security maturity recommended in 2023. 

While the incentive is a good start, our solution needs to go further than that. Australia’s carrot needs to apply to companies of all sizes and be more proportionate to the expense required and the level of maturity achieved.  

What’s the solution? 

Here’s an idea that could fuel real change: facilitate tax savings for companies who can prove they meet certain cyber security resilience standards. For example, the ACSC Essential 8 (maturity level 2 or 3, the incentive could scale with higher levels of maturity achieved). 

Let's look at some numbers to illustrate the potential impact of this idea. 

According to the most recent corporate tax transparency report for FY21, the total company tax payable was $68.6 billion (Australian Taxation Office, 2022). This includes tax paid by Australian public and foreign-owned corporate entities with total income of $100 million or more, as well as Australian-owned resident private companies with total income of $200 million or more. That’s 2,468 entities. 

If these companies could retain 1% of their tax payable by boosting their cyber security, that’s $2.286 billion in tax savings.  

Now, let's consider the estimated cost to the Australian economy of cybercrime. If the government were to "invest" a percentage of their company tax revenue (in the unlikely case that all 2,468 companies meet the requirements) to incentivise better data protection, this could make a massive dent in the estimated cost of cybercrime to the economy.  Isn’t that a return on investment worth considering to drive us toward the goal of being the most cyber secure country by 2030? 

Extend this idea to small and medium-sized businesses with revenues under $100 million. We’d further amplify the positive impact on our economy and country’s cyber resilience. Additionally, the incentive would boost the cyber security industry and its vendor partners, as investment in cyber security to qualify for any incentives grows. Also, there could be guides or requirements to leverage sovereign Australian owned and operated cyber security companies to provide the assessments, solutions, and services to uplift cybersecurity to qualify for these incentives.  Only further fueling our economy with local investment to increase local cyber resiliency. 

There are many ways to create incentives for better cyber security, and the idea of providing tax savings or rebates based on proven cyber resilience or maturity is just one example.  

It’s time to drive real behavioral change in the corporate world when it comes to cyber security. We need a "carrot" instead of a "stick" poorly wielded. Any ideas? 


Australian Taxation Office. (2022, November 3). Corporate tax transparency report for the 2020-21 income year. Australian Taxation Office. Retrieved March 6, 2023, from 

Crozier, R. (2022, December 8). Gov sets target to make Australia "most cyber secure country" by 2030. iTnews. Retrieved March 6, 2023, from 

Kipper, K., & Demetriou, A. (2020, October). R&D tax incentive changes to investment in the future. KPMG. Retrieved March 6, 2023, from 

OECD (2021). “R&D Tax Incentives: Australia, 2021”,, Directorate for Science, Technology and Innovation, December 2021. 

Peters, A., & Röß, D. (2010). The role of governments in promoting corporate responsibility and private sector engagement in development. UN Global Compact and Bertelsmann Stiftung, USA and Germany. 

Stegman, E., Badlani, D., & Futela, S. (2018, December 17). It key metrics data 2019: Key IT security measures: By industry. Gartner. Retrieved March 6, 2023, from 

UNSW Institute for Cyber Security. (2021, November 24). Cybercrime an estimated $42 billion cost to Australian economy. UNSW. Retrieved March 6, 2023, from 



Aaron Bailey

Chief Information Security Officer