How information technology has reduced productivity by the empowerment of bureaucratic and regulatory “busy-bodies”.
Example number 1: 50 years of finding a flat.
1976
Process Chain
Walk about, try to find real estate agent through fog of beer.
Visit a few places (in old mini) where undergraduate students (boys) are welcome – not many it must be said.
Sign up. Eye shotgun owned by landlord with suspicion.
Move in with lp’s, cassettes, bedding etc. in back of Dad’s (or somebody else’s Dad’s) car as mini too small.
Plug in electric bar heater, fix holes in bathroom window and break ice when needing shave.
Spend rent money on beer and cigarettes.
Summary
Time taken – couple of days. Experience – okay what do you expect? Paperwork – what’s that?
1986
Process Chain
Arrive at Tullamarine Melbourne, early morning January.
Spend morning at new job.
Go to Turnbull Cook on Toorak Road in South Yarra. Andrew shows us round a couple of whizzy flats.
Sign up. A few details printed on a dot matrix printer from their PC rental software (Peak productivity).
Move in. Duvet (doona) in plastic bag.
Spend rent money on rent.
Summary
Time taken – one day. Experience – fabulous. Paperwork – 10 minutes tops, pay with EFTPOS.
2026
Process Chain
Spend a week browsing through www.realestate.com.au, trying to get the saved searches right, fiddling with tens of parameters, sorting on various criteria. What fun. Better than smoking just.
Prepare applications – reams of personal information disclosure and uploading identity documents. What for? Busy-bodies.
Prepare program of visits, e-mails, texts, invites, flying all over. Print it out.
Turn up for viewings. Some very bizarre behaviour including taking a picture of a washing machine, the girlfriend in a wardrobe and getting in a panic when a door won’t open. #surftoserf
Sign up, pay up – huge bond and rent in advance.
Receive torrent of e-mails and texts about other properties and other things.
Delete all personal information a.s.a.p.
Move in.
Summary
Time taken – four or five days – do young people have to do this? Experience – bewildering. Paperwork? Piles of it.
The use of Information technology in the “internet age” has not delivered the wealth creation (measured by productivity improvement) prophesied by its evangelists. Yet expenditure on I.T. continues inexorably to rise. Can the introduction of “AI” better deliver value? “Yes” if it can it cut the cost of “Exception-handling” The following article from iTWire illustrates the point.
Figure 1. A framework for process optimization perhaps using information technology as the automation mechanism.
The improvement of manufacturing is hard. Armadas of consultants were deployed in the 1990’s to improve manufacturing productivity (using process analysis) in automated or partially automated systems, by slivers of percentage points (Six Sigma anyone?) . “Business Process Re-engineering” (“BPR”) was all the rage until the unfortunate (deliberate?) migration of much manufacturing activity outside of Western economies.
“Digital Transformation” is the new Black
“BPR” has re-emerged, rebranded as “digital transformation” in recent years across all sectors. However, the focus of these exercises should be more a fundamental recast of business activities, e.g. multi-channel sales, rather than solely a search for improvements in existing processes through automation. A fine distinction perhaps.
Something, sometime will go wrong. Oversight.
It is a reasonable premise that a provision for every material malfunction – “unconstrained exception-handling” – cannot be (theoretically?) practically engineered into any system “devoid of oversight”; a “person” to act beyond computation is required.
So to automate out completely the presence of a “person” would suggest there is no unacceptable “unexpected”. “Oversight” is not required. Ergo an automated taxi that travels with less than injurious energy is OK. Over that?
Does automation add up?
Given that oversight by a person(s) is a required component of a system then why spend money on automation?
If 80% of the work needed to deliver the desired output can be done with a “person included system” that costs 20% (analysis, design, build and maintain) of a “person devoid” system then a person is required to do the remaining 20% of the work, usually “exception-handling”.
Why can’t the person do the 80% as well? And do other work too?
Hence the ubiquity of the Excel proficient knowledge worker and the like in service sector offices.
Of course, if growth or other changes in business circumstance transpire then the equation can flex.
El Dorado or up the garden path?
Engaging in process optimization work may deliver but fool’s gold. Productivity can be improved, often by quite simple means – the improvement in the accuracy of a process, removing duplication, perhaps updating a key constituent component or service. On the other hand, an organisational psychosis can emerge e.g. obsessive benchmarking, that delivers only diminishing returns and which diverts scarce resources from other perhaps more vital activities like product development, marketing and sales. More dangerous still, focus is directed to the internal rather than on the external where existential risks can emerge.
What to make then of the “Automation” mania currently sweeping the service sector, driven by the hype of the “AI” free lunch.
Internet Productivity = Zipless; “AI” Productivity = Zipplus?
The above graph of Australian Labour Productivity since the turn of the millennium aligns approximately with the “internet age”. It is “pretty ordinary” as per the local vernacular.
This suggests that I.T. expenditure is approximately 5% of Australian GDP and it is suggested by the same source, Gartner, that this percentage will continue to increase. In the assumption that this category of expenditure has been 3%-4% percent of GDP over the period of interest (2003-2025) in Australia, it could be said that it is difficult to see how this expenditure has had a positive effect on wealth creation i.e. improved output per unit of input. Perhaps it has been acting against other frictions that have been working to reduce wealth creation. What might be those frictions? Are they generated by the previous systems (“tech debt” is the common expression) built by previous I.T. investment and accompanying practices?
It should be noted that it not just the Australian economy, as pointed out by Krugman and Gordon, in which productivity improvement from information technology investment is hard, if not impossible, to find.
Exceptions, on exceptions, on exceptions etc.
In the case study, the following is claimed:
“Month-end stress often traces back to a single operational truth: invoices that cannot post without human intervention. Exceptions stall payments, distort accruals, and absorb analyst time that should go to forecasting and vendor performance reviews.“
The article then explains how to reduce the impeding exceptions that militate the automation of the process. It might be sardonically observed:
The resources will never exist to perform this work (it will always be the last item on the backlog).
The initial work generates an outcome that demands further, continuous work thus cost and therefore little productivity improvement.
It is therefore probably easier and cheaper to employ somebody to tidy up the exceptions and therefore handle the entire process when not so occupied.
This case study well illustrates the potential false promise of productivity gains through I.T. investment in service sector activities. Consider:
Complex data-processing systems accrete “exception” conditions.
The cost of the removal and automated handling of “exceptions” exceeds the cost of tolerating the “exceptions”.
Overtime the data-processing systems “rot” through the accretion of exceptions and efforts to mitigate the effects of those exceptions; in competitive markets, an enterprise must respond or face the consequences. In the public sector or the regulated service sector, this process can continue effectively ad infinitum as the incentives for a reset solution do not exist. The organisation therefore becomes more inefficient as the rotting systems require more and more expense to maintain their functionality. Hence, productivity declines.
In addition, regulators insist on the introduction of new complexities into these rotting systems, which perhaps while justified, further add and entrench exceptions thus increasing the cost of outputs.
Easing Exceptions – an opportunity, a test for “AI”
What if there was a mechanism to eliminate the “exceptions” that bedevil rotting data-processing systems or significantly reduce the cost of maintenance of “exception handling” in those systems?
Is this an opportunity for “AI” technology and associated practice? Is “AI” really the step-change up from other available mechanisms as proponents claim?
Applied to the case study, the argument for “AI” is that a relatively inexpensive and pliable “AI” based function could be embedded in the invoice handling process to minimise the disruptive effect of malformed documents. This would enable the implementation of an automated system. Existing staff could be more gainfully employed and any growth in volumes handled by the automation without further expense.
The economics might suddenly work.
In this context, two methods exist to best examine opportunities within the organisation: cybernetics – to identify the complex data flows within systems and activity-based accounting to identify associated value and cost.
Pesky Customers – who needs ’em?
Figure 2. Customers, what customers?
Monopolists and oligopolists in the Australian economy e.g. Big Tech and banks, comfortable in their privileged market position, seem particularly tempted to outsource their customer interactions to “AI” technology.
If “AI” can handle most of the “exceptions” why bother with those outside the scope of such solutions? Let the customers step into line.
Given that exception conditions are particularly frequent at the interfaces between processes this tendency, from a cost perspective is understandable. However, an issue for regulators and boards of increasingly insular corporates, hidden from customers behind walls of technology in silos of groupthink will be whether “exceptional” customers and cases will continue to be worthy of attention.
Given that an organisation may wish to make an informed decision about their cyberdefence concerns, the following approach can deliver a coherent evaluation.
In the APRA practice guide, CPG 235, a “fractal” primitive of data processing is defined. This logical data-life cycle “primitive” suggests the following cybersecurity concepts:
Perimeter protection – a component of data-capture
Zero-trust – data processing, retention and publishing
Data Centric Security – data processing, retention and disposal given that publication suggests outputs beyond the domain into the data-capture of a related data process.
Figure 1. CPG 235 Data Processing “Fractal” PrimitiveFigure 2. CPG 235 Data Processing “Fractal” primitive, decomposed to the next level of resolution.
A simple business plan can be created for each “primitive”, described by cybernetic analysis estimating the cost of risk mitigation and the contingent provision required in the event of a catastrophic event. Some of the details required for this exercise may already be present as they are an output from other work e.g. privacy impact assessments.
Figure 3. Illustrative “business plan” with expenditure and provisions. Variables including time-scales, line-item detail can be adjusted as required by circumstances.
Expenditure in tooling and expertise etc. can then be allocated to the protection of these assets, the data processed and the supporting infrastructure, ranked by the cost of remediation of a catastrophic event.
Such existing sophistication or its elements already exist in many entities, for example, financial institutions but can be replicated or adapted to be of use in more modest circumstance. The analysis can be either as high or as low in resolution as required.
Through a focus on monetary values, matched to the charts of account or financial plans, the argument for cyberdefence investment can be made more easily to managerial colleagues from non-IT disciplines.
To complete the exercise, a test against contemporary jurisdictional regulation can be conducted through examination of the scheme of expenditure. Given that incidents will always occur, the question can be asked: “Is this a reasonable response that would be deemed a prudent act of stewardship when viewed by internal and external parties?”.
In conclusion
The outlined approach, where the questions “Why” and “What” are separated from the “How” enables an informed consideration and thus decision-making framework for the deployment of cyberdefence. Communication between management disciples is facilitated and measurable financial outcomes can be identified and subsequently evaluated for future refinement of the domain e.g. technology upgrade, process automation.
Cyber Defence – Protecting the productive assets of the organisation. The Why, What and How.
iTWire “Reads”
Cyber Security
Cyber and “AI”
All
Totalled “Reads”
8,618
12,923
21,124
Percentage “Reads”
40.80%
61.18%
100.00%
Figure 1. well illustrates that which exercises the readership of iTWire in the most recent week considered. Cybersecurity and “AI” are aggregated as, in the articles published, there is nearly always a reference to the “cybersecurity” construct in “AI” articles. Articles on “AI” that explicitly do not have been excluded.
Why is cybersecurity (for this purpose, consider cybersecurity as the means to achieve cyber defence the business function – the protection of company assets). worthy of such attention? Perhaps it is not, depending on your point of view: “Former Optus CEO lands top role at Australian Unity“
Managing Cyberdefence
What is the appropriate response of an organisation to the risk of cyberattack? Simplistically categorised, possible approaches are as follows:
Ignore or rationalise and tidy up the mess if the worst comes to the worst
Do as little as possible given the regulatory framework in the jurisdictions of concern
Proactively embed defences within the organisation at points of vulnerability with reference to the balance sheet of technological assets within the purview of the organisation.
The judgement to be made, is whether the cost of the “mitigation” e.g. insure, engineer of the risk, outweighs or not the cost of the clean-up e.g. provision for contingent expenditure on the balance sheet. Imperatives within the public sector and institutions maybe differently expressed but let us say are of the same general form.
Sometimes, the cost of mitigation will be so high within the strict if not reasonably interpreted parameters of the legislation e.g. EU:GDPR, that Number 2 will be out of reach even with a well-orchestrated Number 3 approach.
Number 2 will do
Consider the “Enforceable Undertaking” imposed by the OAIC against the Commonwealth Bank of Australia, a singular institution within the nation. It can be argued that compliance to the APA 1988 requires, as a pre-requisite, secure data handling. It is unclear whether the CBA was negligent or ignorant of the consequences of this assertion viewed against the position of the regulator. Was it cheaper to fix up the mess or to take a priori, as is clear in the language of the regulator, reasonable steps to protect the interests of the individual as manifested in their personal information.
Number 3 the place for me
Nothing can be taken for granted, let alone a presumption of 100% protection against cyberattack given the continuously evolving eco-system of actors within the domain.
How to spend the money? Even with the most diligent attention, existential threats are likely to emerge from the set of low-frequency, high impact events that are often (Nicholas Taleb’s “The Black Swan”) unconsidered or discounted.
Emerging constructs, such as “zero-trust”, “data-centric protection” and “AI” informed protections may offer the Chief Information Security Officer (“CISO”) an expanded portfolio of focused, granular and thus more efficient means of defence than previously available.
What do the Signals say?
Australian GDP in 2025 is approximately AUD2.7 trillion per annum in the year 2024 to 2025.
The Australian Signals Directorate (“ASD”) produces an annual commentary report on its activities; from this report 2024-2025:
“The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) responded to over 1,200 cybersecurity incidents – an 11% increase from last year. In FY2024–25, ASD’s ACSC received over 84,700 cybercrime reports – an average of one report every 6 minutes. For businesses, the average self-reported cost of cybercrime per report was up 50% overall ($80,850).”
A calculation from these reports suggests that the cost of cybercrime during the year was 84.700 * AUD80,850 = AUD6.8 billion, so say circa 0.26 percent of GDP.
AUD6.8 billion is quite a lot of money but not a particularly significant percentage of GDP. It may not be sufficient to cause a noticeable reduction in productivity growth. Paradoxically, the attention required for the protection of data assets may deliver value, tangible or unseen within the profile of information technology and other business costs.
Cyber Defence Budgets in Australia – What is known?
An estimate for the investment on cybersecurity in the Australian economy is AUD5 billion per annum, sourced from AustCyber. It has been asserted without a statement of evidence that this amount needs to increase to AUD10 billion.
The key question raised appears to be whether the known or unknown unknowns of “AI” technology adoption will drive increased cyberdefence expenditure in entities outside those focused on the development and deployment of information technology itself.
The total cost to the Australian economy of cyberdefence is therefore, at best an estimate, around AUD10billion (not including the suggested increase referenced above) – cost of crime remediation plus investment. This is circa 0.45 percent of Australian GDP in 2025. A rough-cut estimate is that cybersecurity constitutes 4-5 percent of Australian I.T. spending. This proportion might change given the current wave of data centre infrastructure spending or not.
There are a number of questions left unanswered by the ASD report that might assist determining the most effective future path of “I and E” on cyber defences:
What is the existing “I and E” in cyberdefences in the economy by sector? How effective is this cost in the prevention of remedial expense in these sectors?
What improvement – reduction in the cost of reported cybercrime – could be expected by increased “I and E” in cyberdefences? What is the relationship between these two variables? How best to deploy further investment? i.e. idiomatically, Any low-hanging fruit, best-bang-for-the-buck.
How can “I and E” be streamlined to meet current threats outside a provision for significant increases in the destructive efficiency of cyberattacks? How are these two concerns inter-woven?
Who is doing Number 1, Number 2 and Number 3? In which sectors of the economy? In which sectors of the economy is cyberdefence a significant productivity friction?
In Conclusion
Cybersecurity appears to be a focus of strong interest in the iTWire community. It is possible to estimate the current overall “I and E” of cybersecurity and the cost of cyberattacks in the Australian economy with reasonable confidence but more analysis is required to determine the efficiacy of current expenditure and the most effective ways in which money can be spend in the future in the performance of cyberdefence.
The picture is complicated by the arrival of emerging technology categories of cybersecurity tools and “AI” technology in both sides of the conflict.
In our next article, an approach is considered that can deliver an understanding of the efficacy of cyberdefence “I and E”, assist in the discussion of the domain across non-IT management dsiciplines and enable the informed deployment of new technology and methods in the protection of productive organisational assets.
Mr. Garg alerts us to future turbulence by reference to the economists at the Commonwealth Bank of Australia who suggest that 2026 will be a “challenge”. In other words, just like this year and the year before that, probably like 2027 and the year after that. The dismal science never fails.
For those that put food on the table through technology a.k.a. “knowledge workers” in Australian bureaucracies and regulated institutions not normally exposed to the chill winds of the economy, it might well be true that “a change is a coming”. Or at least starting to come.
The dot.com bubble was blown on hope and smoke and mirrors – the hope that the new technology and resultant ease of communication built on software and data as-a-productive-asset would compensate for the loss of old-world wealth generation through manufacturing widgets. Clinton signed Main Street away with NAFTA and the brutal mercantilism of the P.R.C. was naively or greedily, depending on one’s point of view, perceived as an opportunity to exploit fresh fields by U.S. and European capital.
The “AI” bubble is a different beast. There is a fear abroad.
At Opex Week, Sydney 2025 it was noticeable that the participants at the day in “knowledge work” were far more exercised about the adoption of “AI”, for purposes as yet to be precisely defined than those at the pointy end. The anxiety was palpable, some presenters truly unsettled by the potential consequences; no I am not having a chip implanted in my brain.
Mr. Garg clearly identifies the key issues to be considered, keeping on the right side of technology “groupthink”. But questions remain: Does technology enable or mitigate organisational adaptability? Where is the measurable value? There are clearly never going to be 175 new data centres in Australia by 2030. Perhaps the frictions and compromises of “cloud” are starting to emerge. Was it wise to give AWS a monopoly?
On the other hand, if as Trend Micro’s Ryan Flores suggests, the industrialisation of cyber-attacks is with us, perhaps only “AI” based apparatus can save us from the burgeoning costs of cybersecurity.
Cybersecurity company Trend Micro has released its annual Security Predictions Report for 2026, “warning that the coming year” will mark the true industrialisation of cybercrime.
APAC AI consultancy, V2 AI, has released the 2nd edition of its State of AI in Australia report revealing that while AI adoption is booming across Australian businesses, unlocking its full value depends on organisations upskilling their workforces, building best-practice operating models, and embedding robust responsible AI and security frameworks.
Case by Case Activity Based Costing Analysis is the tried and tested tool.
GUEST OPINION: The recent GTG-1002 campaign is not just another breach – it is a watershed moment in offensive cyber operations. For decades, cybersecurity was a game of time, where human attackers needed days or weeks to weaponise code, giving breathing room to patch. Now the exploit window has collapsed to zero.
