Oct 23, 2018

New cybersecurity business model: Pay-per-phish

A phone with 0s and 1s in blue before a green background.

Photo: Jaap Arriens/NurPhoto via Getty Images

Area 1 Security, a California-based anti-phishing cybersecurity firm, announced Tuesday it is introducing a "pay-per-phish" model under which customers only pay when Area 1 actually foils a phishing attempt. Each caught phish — a seemingly innocuous email that contains malicious software or attachments — will cost the customer $10.

The big picture: This year, global spending on cybersecurity products is expected to reach $114 billion, a 12.4% increase over last year, per Gartner, but companies are not seeing results from their investment. The pay-per-phish model tries to change the security market's incentives by structuring rates around outcomes.

Why it matters: Area 1 CEO Oren Falkowitz tells Axios he fears companies frustrated by security programs with high price tags and poor results could simply drop their guard, degrading collective security.

Driving the market: Many cybersecurity solutions charge blanket fees for protection even if they can't guarantee a better cybersecurity posture. Area 1's bet is that their model will encourage constant product improvement and increase its customers' confidence.

What's next: It remains to be seen if this business model is sustainable and whether other companies will follow suit.

By the numbers:

  • There were 264,483 email phishing attempts in the second quarter of this year reported to the Anti-Phishing Working Group, compared with 53,081 reported to the group just 5 years ago.
  • The $10 charge is per individual email that Area 1 manages to quarantine before it lands in a user's inbox.
  • But there's a limit to the payout: If one company is hit with a wave of phishing attempts that Area 1 successfully blocks, $10 per phish might become prohibitively expensive. As a result, Area 1 has placed a cap on payouts, Falkowitz says. This could make a difference in a worst case scenario.
Go deeper