The 2022 cyberattacks on Costa Rica served as a wake-up call, underscoring the need for a fundamental shift in recognizing cybersecurity as a critical investment for the future rather than a mere expense. The impact of these cyberattacks not only heightened awareness about cybersecurity issues but also drove transformation within institutions, making cybersecurity a core topic even at the household level. Through this journey, we have recognized the need to strengthen our ecosystems by collaborating with our neighbours to enhance resilience not only in Costa Rica but also across the region. Paula Bogantes Zamora, Minister of Science, Innovation, Technology and Telecommunications of Costa Rica The Global Cybersecurity Outlook 2025 highlights the growing complexity in cyberspace, driven by factors such as geopolitical uncertainty and the increasing sophistication of cybercriminals – elements that often lie outside the direct control of organizational leaders. Nevertheless, it is crucial for leadership to understand the cumulative impacts of this complexity on both organizational and national cybersecurity postures.Addressing this deep-rooted complexity is no mean feat. It requires out-of-the-box thinking, almost always needing an economic argument to highlight the price of inaction on cybersecurity. Since past cyberattacks have highlighted the intrinsic link with the broader economic context – most notably in cases where attacks have caused measurable damage to economies as a whole – the financial drivers and consequences of cyber incidents are increasingly capturing the attention of leaders in both the private and public sectors The rise of organized cybercrime, large-scale attacks targeting critical infrastructure and the fast pace of technological adoption affecting social and economic development highlight the far-reaching economic impacts of cybersecurity. Another critical aspect is to understand the erosion of economic value due to cybercrime. With minimal operational costs and potentially high returns, cybercrime has become a highly profitable venture for attackers. The US Federal Bureau of Investigation (FBI) estimates that losses resulting from cybercrime exceeded $12.5 billion in 2023.48 As cybercriminals become more organized and innovative, many businesses are turning to cyber insurance to mitigate the financial impact of cyberattacks. However, with the increasing frequency of cybercrime, insurers are adjusting premiums and coverage terms, making it more expensive for businesses to secure adequate protection. All of these factors point to the need for leaders to quantify cyber risks and their economic impacts to align investments with core business objectives, while leaders who have the resources and means to help those who do not may need to step up to ensure a whole-of-system approach.One of the core tenets of cyber economics is the balancing act between investing in cybersecurity and managing competing business priorities. The rising complexity of the cyber landscape means that cyber risk is touching more parts of organizations, and successful leaders must correspondingly navigate a risk landscape in the same way as they do a market environment. Even though more than 60% of CEOs and CISOs surveyed report that cyber- risk management is integrated into enterprise risk management in their organizations, many still struggle to accurately assess the level of required investment. In fact, today, fewer than half of CEOs believe their organizations invest enough in cybersecurity. While proactive security measures – including multifactor authentication, firewalls and security- awareness training – can be costly, such expenses are negligible compared to the financial consequences of a cyberattack. However, in cash- strapped SMEs, such costs can be challenging unless compelling incentives can be introduced. In attempting to identify incentives, it is interesting to draw parallels with global efforts to combat a crisis in the physical realm – the climate crisis. Across the world, countries are trying to create incentives to push citizens in the direction of renewables, with significant subsidies being offered to help drive the movement towards rooftop solar or heat pumps, for example. To drive affirmative action and boost cyber resilience through the uptake of proactive security measures, it seems reasonable to demand similar incentives aimed at SMEs from governments.3.1 Introducing the economics of cybersecurity Global Cybersecurity Outlook 2025 40