“Fear is a man’s best friend” is yet another great John Cale song. Dario Amodei of Anthropic has been listening.
In the Cyberwar arms race, Dario intends to lead, especially in the “scaring the pants off stakes”. There must be an IPO in the offing.
Way back in the day, as an ERP product manager, a moment’s scribble on the back of an envelope revealed the obvious: that off-piste explorations of the process path would lead to an unpleasant demise of reliable functionality. It was too complicated to test everything so just “don’t go there”.
Bill Gates, a past master at legedermain has been playing the game since DOS V1.0, a game that continues to infuriate to this day. In a masterful Twainian twist, (though it is unlikely there have been any royalty payments to the Twain Estate)
he has persuaded his gasping acolytes that beta-testing for free is a privilege (See “The Adventures of Tom Sawyer”).
Dario has amped it up. “Mythos” stalks the earth, remorselessly shining its light into the the murky depths of ancient code to reveal, quoting the Economist “Artificial Intelligence, Mythical Monster April 11th-17th 2026” that “severe vulnerabilities have been found in every major operating system and web browser, including one that had gone undetected for 27 years”.
In other news, there are bugs in software, especially in the dismal outpourings of early internet explorations, as decades of software engineering principles were trashed on the alter of cheap labour in the 1990’s; not an unfamiliar tale.
The digital computing machine is at the end of a Rogers’ innovation curve. Is “AI” just a last hurrah?
Introduction
In his classic work, (Rogers, 2003), Everett Rogers proposed the non-linearity of innovation adoption and its nature. Multiple examples are quoted including the emergence of the “Internet” up to 2003.
Figure 1. Diffusion of Innovations, Everett Rogers – for our purpose the “Rogers’ curve”
The economist Paul Krugman[1] famously stated that โproductivity isn’t everything, but, in the long run, it is almost everythingโ.
[2]“The reason productivity is so important, Krugman continued, is that โa country’s ability to improve its standard of living over time depends almost entirely on its ability to raise its output per workerโ.
From these two notions, it can be conjectured:
An innovation may increase “utility”, that is to say “improve quality of life” to those exposed[3]. A narrow proxy for utility is “productivity” which is an understood measurement in the U.S. and Australia. There are other perspectives on innovation effects e.g. “consumer welfare”[4] but these are out of scope.
Change in utility from an innovation can follow a “future offset” Rogers’ curve.
Within a Rogers’ curve, “fractal” Rogers’ curves may be observed caused by discontinuities in an innovation’s evolution e.g. in a “creative destruction” [5].
In the “late stage” Rogers’ curve, adoption rates can decline and innovations can turn “toxic”, reducing utility. Benefits often accrue early in the cycle and costs are deferred but as use increases, can grow in a non-linear fashion e.g. PFA’s.
“I.T.” including computation and communication began life as an innovation in the late 1940’s.
The innovation of I.T. follows the Rogers’ “curve” and two significant Rogers’ curves can be observed within – from the personal computer “PC” starting in the late 1970’s and the “Internet” revolution born in the late 1980’s.
A third potential significant discontinuity, “AI” as commonly understood, (not as a tool in functional niches), is now observed. The nature of this discontinuity and its effects on utility are as yet unknown.
In this analysis, the “PC”, “Internet” and “AI” discontinuities are compared and considered within the I.T. Rogers’ curve.
The “PC”
The dramatically reduced cost of computing power though the 60โs and 70โs (as illustrated by Gordon Moore’s misnamed but pertinent โMoore’s Law”[6]) lead to the emergence of โgarage bandโ entrepreneurs e.g. Microsoft, Apple that sought to deliver to a much broader community the facilities for computation, hitherto the preserve of the โBigโ โ government, corporations, military. Concurrent developments in software functionality enabled by cheaper computing power e.g. the “GUI” would accelerate the innovation cycle.
What were the effects?
1. Industry disruption; the I.T. industry, dominated by mainframe e.g. Amdahl, Sperry-Univac etc. and mini-computer players e.g. Data General, Digital Equipment was transformed by a convulsion so violent that eventually even IBM was brought low. Hardware and operating systems were commodified and de facto standardised; โOpen Sourceโ e.g. Linux emerged. This was an โasset lightโ and democratising revolution.
2. A mania? The 1980’s saw, to quote the Federal Reserve[7]:
“The first contemporary global financial crisis unfolded on October 19, 1987, a day known as “Black Monday,” when the Dow Jones Industrial Average dropped 22.6 percent.”
However, this was not an event associated particularly with investment in the I.T. sector; other more significant forces were at play including the enablement of automated trading by cheaper computing power where individual interests combined to generate a vortex of market decline[8].
3. Utility; The “PC” enabled businesses to dramatically reduce the costs of their non-value adding work. New direct sales and marketing processes enabled by low-cost data management software enabled higher productivity in the delivery of targeted goods and services without the need for expensive โmass mediaโ. The personalisation of marketing and media had begun.
However, in 1987, Robert Solow[9] remarked โYou can see the computer age everywhere but in the productivity statistics”, leading to the term โSolow Paradoxโ where high levels of investment in digital technology do not lead to immediate economic benefit. In fact, during the 80โs economic growth in the U.S. declined.
Explanations might include:
Industry disruption is expensive and often resisted; a period of economic readjustment was necessary when generalised benefits were hard to discern as productive assets were dismantled and created a new in other configurations.
Lags from inertia and “frictions” applied to expenditure; capital equipment demands adaptation to be productive. It is conceivable that material productivity improvements were only realised when intra-entity “PC networking”, in support of commodified business management applications, was enabled.
The rise of the service sector as a proportion of the economy, in some ways a result of the reduced cost of computing power, in which it is difficult to measure “productivity”.
Difficulties in accounting for the new technology: hardware, software and services which is still a matter of debate and amendment by authorities[10].
The “Internet”
“Big” military, industry and academic networks had been in situ since the 60’s (Rogers, 2003) and a functional example of the “Internet” extant in France (“Minitel”[11]) since 1980, so the “Internet” concept was familiar. The reducing cost of I.T. equipment and “open standards” enabled the deployment of a commoditised tool for electronic communication. It can be argued that the emergence of the “Internet” within CERN itself followed a Rogers’ curve (Berners-Lee, 1999). Great hopes were vested in this technology for human advancement, not least by Berners-Lee himself[12]. In February 1996, the Section 630[13] ruling, confirmed the belief that new voices should emerge to challenge the existing political and media status quo. The Wall had fallen.
As per DeLong (DeLong, 2000), the “Solow Paradox” appeared to be resolved in the early to mid-nineties. DeLong made the following remark:
โ The almost inevitable conclusion is โ as Oliner and Sichel (2000) have argued most powerfully โ that the computer sector has in the past decade come of age as a macroeconomic factor. The productivity speed-up is due primarily to events in information technology.”
DeLong predicted a continued realisation of net benefit from I.T. investment both within and outside the U.S. economy in the following decade.
Productivity in the U.S. and Australia
DeLong was apparently justified by the U.S. in the 2000’s. The factors that cause “productivity” change cannot be easily identified or quantified {“correlation is not causation” etc.) but it appears that cheap, integrated computing power had a very positive influence up to 2007.
Remarkably, this improvement in utility occurred after the bursting of the e-commerce bubble in 2000 when as The Economist[14] remarks: “The Super Bowl of 2000 passed into market folklore as having epitomised internet-stock mania; no fewer than 17 dotcom firms paid millions of dollars each for 30 second advertising slots. Weeks later share prices fell into a brutal bear market”.
It appears that in the U.S. a Rogers’ curve for I.T. was observed from the late 1940’s. Early adoption by the “Big” – government, the military, was followed by a period of quietude (Only seven of the Ferranti Mark 1 machines were sold in the 1950’s[15]) as underlying tectonics realigned. The “PC” and “Internet” revolutions, themselves observed as “fractal” Rogers’ curves, ignited a “Take-Off” in the late 1980’s that continued until circa 2007. As conjectured. utility from I.T. as expressed by productivity seems to have followed an aligned and offset Rogers’ curve from adoption.
A similar pattern in Australia to the U.S. is observed where it appears that a combination of factors, arguably including the dividend of cheap computing power utilisation resulted in significant improvements in utility during the decades around the turn of the century.
The RBA (R.B.A., 2025) comments:
“For example, labour productivity (output per hour worked) currently sits around its 2016 level, whereas it grew very strongly from the mid-1990s to mid-2000s.”
The Data-Processing Engine
All good things come to an end as would be expected by reference to the Rogers’ curve, its extrapolation to utility and the nature of the data-processing engine.
Limits are reached – there is only a certain speed at which received information can be wisely processed and I.T. assets “rot” almost immediately from their deployment as changes are made to functionality and configuration; increasing monies are spent on the maintenance of existing systems, not the implementation of innovation. Network effects only go so far, “legacy” and barriers to entry emerge.
Business practices and processes that were once performed at very low levels of “friction” are increasingly burdened with bureaucratic interventions (often of dubious merit and ironically only possible because of I.T.) and bad actors.
Take cybersecurity, which although estimated[16] at only a fractional percentage of Australian GDP (0.04%) expenditure is nevertheless a significant impost on this economy. This technology often reduces the operational efficiency of processes either directly or indirectly and is a cost, either in I.T. system maintenance or an insurance against contingent risk.
“AI”
“Social media” has been extremely disruptive in its effects since the late 2000’s though it does not appear at first glance to have improved utility either in the U.S. or Australia[17]. Will “AI” change the effect of I.T. investment?
Consider “AI” versus the “PC” and the “Internet”:
A tenor of “fear and loathing”[18] is abroad, not hope and optimism as previously observed. This is evidenced by:
“AI” as a justification for white-collar work redundancies e.g. the C.B.A, Block and Atlassian[19][20].
Evidence of exploitative work practices supporting the provision of “AI” ย (Muldoon, 2024). ย
The emblematic lawsuit between Open-AI and its partner Microsoft[21] and the New York Times regarding the alleged theft of intellectual property from that publisher.
Top-down, scare-tactic, propaganda by “AI” players governments – “LinkedIn” et al.
Social unrest around the technology and its perceived consequences.[22]
“Asset-heavy”, not “Asset-Light”; “AI” data-processing is extremely complex and energy-intensive therefore expensive and condensed, the opposite of the “PC” and “Internet” proposition, even if the driver, cheaper unit processing power, is the same. To quote The Economist[23] again “Alphabet, Amazon, Meta and Microsoft have said they will spend US660bn on “AI” in 2026, staggering sums.” According to the IEA, electricity supply for “AI” is planned to grow in six years from 460 TWH to 1000 TWH, circa 3% of total present global generating capacity[24]. Further study is advised to determine the viability of this proposition.
Markets remain sceptical of “Big Tech” expenditure on “AI” and uncertain of valuations[25]. They have not afforded entrants the euphoria of the dot-com era[26][27]. Other factors, including circular financing[28] by some “AI” players may have brought some caution to the table. Markets have punished both the work-platform firms e.g. Atlassian, ServiceNow and their antagonistic “AI” entities on the same day.[29] The primary characteristic of “bubbles” (Shiller, 2008), “social contagion” is not yet on vivid display. The forthcoming IPOs of Open-AI, Anthropic and Space-X may tell a different story.
The Thrill has Gone
The I.T. Rogers’ curve. is now eighty-years old, an aging boomer whose glory days are long gone as measured by the conjectured proxy for utility. Will “AI” re-energise the delivery of utility from I.T. on its own Rogers’ curve?
The following, based on a comparison with the “PC” and the “Internet” suggest not:
The “vibe” of the “PC” and “Internet” revolutions is markedly absent.
intense concentration of the assets required for “AI” deployment within an existing circle of agency, the empire[30] of “Big Tech” and its totalitarian peers.
The stated aim which appears to be the reduction of utility, “Productivity” is to be improved by the reduction of cost through increased unemployment and diminished freedom. The mechanism? The theft of human expertise using the pernicious drug of convenience.
Markets are ambivalent.
With luck, uncertain and trimmed by the Iran conflict, they will decide it is not worth it.
Bibliography
Berners-Lee, T. (1999). Weaving the Web. Orion Business Books.
DeLong, J. B. (2000). https://www.rba.gov.au/publications/confs/2000/delong.html. Resreve Bank of Australia.
Muldoon, Graham and Cant. (2024). Feeding the Machine: The Hidden Human Labour Powering AI. Bloomsbury.
[3] “Exposed” describes a multitude of personal and organisational experiences. Benefits and costs will not accrue equally across the “exposed” but a generalised improvement in utility could be said to apply when for “most of the people, most of the time”.
[4] https://conversableeconomist.com/2021/02/24/robert-j-gordon-thoughts-on-long-run-us-productivity-growth/ and The Rise and Fall of American Growth, Robert J. Gordon, 2016 ISBN 9780691175805
Looking for clues in Python Programming Productivity – “AI” Sludge vs. Clear Exposition.
Python Documentation
There’s abstruse and incomprehensible and surely most formal Python documentation for the average business technician/knowledge-worker/hacker/scribbler/programmer meanders somewhere in between. Communities emerged to cope StackOverflow, Youtube etc. No “RTFM” for these guys and gals, more “DIY”. Ten years ago, quite a shock for a geezer thrown in to the pool of methods and objects. Where’s the register? And pythonistas were you taught not to comment your code.
Keep it Simple Stupid (“KISS”)
A golden rule of computer science etc. used to be “KISS”. Was this ever a rule, more an observation? Like Moore’s Law a bit of a misnomer.
Assume “KISS” is still a rule (like “GIGO”).
If “KISS” is a rule does “AI” simplify?
Like for example, a Youtube video by somebody who, with clear and concise explanation, very easily makes things simple. Somebody who knows how to educate. Corey Schafer that’s you.
Or a well-written note that matches the “what” with the “how”, featuring more than the occasional snippet.
Productivity doing hard things will not be improved by throwing more at the wall, the default response of an “AI” prompt.
Perhaps we should be grateful. Any idiot can make the complex complicated. Making the complex simple requires a mind.
Has the addition of “AI” engagements improved the customer experience? Is the Raspberry Pi cooked?
The “AI” Mercury Switch at ii-net
How’s your broadband going? If you are with ii-net in Australia you’ve probably found that if it isn’t going too well then when you call them up, instead of the simple pressing of a few buttons to get you to some one who has a good idea what’s going on (usually the case it has to be said) there is a new intervention: an emulation of a hapless adolescent posing the question “how can I help?”
In a sentence.
Problem? Even if you could construct a reasonable and publishable sentence to describe your current state of NBN despair, you cannot make yourself understood as the mobile phone no longer carries a signal of sufficient clarity to convey a message of any substance so the meaning is lost.
And time wasted. Why?
An agent at ii-net and I were having a laugh about my wasted time and he suggested that the “AI” intervention was needed to meet the requirements of the young. After all, the young are blessed with much time, though as Mose Allison implied perhaps little else.
The Irritating Avatar
Hold on, what’s going on? Crafting is going on and a strong recommendation is the “30 Days as Lost in Space” kit from Crafting Table. As stated on the tin, perfect for beginners.
What however is this that stands before me? An intervention by a curious being seemingly half way between everywhere; red dwarfed by Youtube. Is this “thing” necessary or a distraction from the tasks engaged?
Try out the kit and you be the judge.
Raspberry Pi or Pickle
The squeezed middle is a painful place to be.
Total cost of purchase of a working pi?
keyboard, mouse, sd card and monitor is getting for four hundred Australian bucks. A fully configured low-spec laptop with windows and office price in fact for which one can grab a full-fat python for free.
The unboxing wasn’t great; screwholes but no screws and the cooling fan connector with the power on the board was a bit fiddly. And then it broke or least the connection didn’t conduct; No fan.
The OS download was OK but then the monitor went into sleep mode and wouldn’t wake up either with ubunto or raspberry os. What to do? Lots of online guidance that assumed prior knowledge lead to a few changes to the config.txt with notepad and a re-boot. No luck. Another monitor, I don’t think so as the one in use displayed switch-on diagnostics just fine and worked with the laptop. It’s not worth the money.
To program? Back to the laptop,
The Heath Robinson hack appeal of the pi still attracts but maybe, like many artefacts and initiatives in the technology world, commodification has come for its lunch.
On the 30th Anniversary of the Legal Ruling (Section 230 (c) (1)) that for better or worse, cast the nature of our times, technology in the form of “AI” agents has driven the lucrative “platform” gravy train into the buffers.
Let’s look at those share prices again
Service sector work platforms derived from the search and social media platforms that flourished under the protection of Section 230 (c) (1) have proved highly lucrative in the age of digital paper-pushing. Markets however seem to think that “AI” might be about to eat their lunch, as at 5th February 2026:
PEGA โ down 43% in five years, down 29% YTD
Salesforce โ down 16% in five years, down 21% YTD
Workday โ down 35% in five years, down 17% YTD
SAP โ up 54% in 5 years, down 16% YTD
Atlassian โ down 56% in 5 years, down 32% YTD
ServiceNow โ down 5% in 5 years, down 25% YTD
Monday.com โ down 44% in 5 years, down 27% YTD
According to the UK’s Daily Telegraph “AIโs apocalyptic jobs prophecy is about to become reality“, the future is now and markets, are jumping, perhaps to premature conclusions. It could be argued that these firms have been generously valued for an extended period and as such have become bloated and overburdened themselves with the bureaucratic impediments they propose to minimise in their client organisations.
Even if “AI” can deliver as prophised by its evangelists, the re-engineering of “legacy” systems and practice will be enormously expensive and time-consuming, battling both inertia and active resistance. What is perhaps universally true, is that benefits will accrue to early adopters while the frictions will accumulate over time, slowly but inevitably eroding any competative advantage.
Paul A. Strassmann’s book “The Economics of Corporate Information Systems: Measuring Information Payoffs” from an earlier era in the evolution of digital systems tells an interesting story.
A Minsky Moment
What is clear though, is that for the “platform players” and the management consultants that have feasted at their table, what cannot go on forever has finally stopped; a metaphoric and in some ways literal, “Minsky Moment”
Who can afford governance when it looks like this?
Whither AI?
In the current mania, much conversation centres around the concept of “AI” governance?
Why? and what is “AI” governance? Now and in the future.
The issue is this. Even if “AI” tooling can be acceptably governed (if this can be defined) how much is this going to cost. Does the cost of governance (a “friction”) militate the use of “AI” as the benefits no longer outweigh the costs.
For example, in automated systems, an assumption might be that a given set of inputs will always generate a given set of outputs. A cake recipe when followed with fidelity will produce a cake. Is the respect of this principle a “core competence” of “AI” without significant investment in guardrails, audit etc.
The use of ISO Standards
It can be argued that a mechanism for a reasonable response to the use of new technologies is the adoption of ISO standards e.g. ISO27001 and for “AI” ISO42001, given that independent first principle analysis and deployment of requirements will be beyond the resources of most organisations.
A feature of “platform engineering” could be that compliance and governance functionality is available by default to engineers in their work.
In fact, one of the benefits of the adoption of “public cloud” platforms is the availability of default compliance functionality from the platform – for example in “privacy” – by the certified ISO handling of “personal data” or “personal information” as defined by the applied regulation. It is hard to envisage the circumstances in which a regulator would object to the reliance of a “public cloud” customer on a provider from the current “Big Tech” cohort.
Tendency to Oligopoly at Best
Current valuations for “AI” suggest that investors are betting on the identity of the eventual number one of one provider of “AI” services, given the enormous capital costs required for its deployment.
Equally, the complexities of “AI” deployment suggest that there will be a tendency towards at best an oligopoly of suppliers in the provision of governance, preferably systemised as a commodity.
Oligopoly profits and pricing privileges for “Big Tech” await, again, this time as an unintended consequence of regulation and governance.
The use of Information technology in the “internet age” has not delivered the wealth creation (measured by productivity improvement) prophesied by its evangelists. Yet expenditure on I.T. continues inexorably to rise. Can the introduction of โAIโ better deliver value? โYesโ if it can it cut the cost of โException-handlingโ The following article from iTWire illustrates the point.
Figure 1. A framework for process optimization perhaps using information technology as the automation mechanism.
The improvement of manufacturing is hard. Armadas of consultants were deployed in the 1990โs to improve manufacturing productivity (using process analysis) in automated or partially automated systems, by slivers of percentage points (Six Sigma anyone?) . “Business Process Re-engineering” (“BPR”) was all the rage until the unfortunate (deliberate?) migration of much manufacturing activity outside of Western economies.
“Digital Transformation” is the new Black
“BPR” has re-emerged, rebranded as “digital transformation” in recent years across all sectors. However, the focus of these exercises should be more a fundamental recast of business activities, e.g. multi-channel sales, rather than solely a search for improvements in existing processes through automation. A fine distinction perhaps.
Something, sometime will go wrong. Oversight.
It is a reasonable premise that a provision for every material malfunction โ “unconstrained exception-handling” โ cannot be (theoretically?) practically engineered into any system “devoid of oversight”; a “person” to act beyond computation is required.
So to automate out completely the presence of a “person” would suggest there is no unacceptable “unexpected”. “Oversight” is not required. Ergo an automated taxi that travels with less than injurious energy is OK. Over that?
Does automation add up?
Given that oversight by a person(s) is a required component of a system then why spend money on automation?
If 80% of the work needed to deliver the desired output can be done with a “person included system” that costs 20% (analysis, design, build and maintain) of a “person devoid” system then a person is required to do the remaining 20% of the work, usually “exception-handling”.
Why can’t the person do the 80% as well? And do other work too?
Hence the ubiquity of the Excel proficient knowledge worker and the like in service sector offices.
Of course, if growth or other changes in business circumstance transpire then the equation can flex.
El Dorado or up the garden path?
Engaging in process optimization work may deliver but fool’s gold. Productivity can be improved, often by quite simple means โ the improvement in the accuracy of a process, removing duplication, perhaps updating a key constituent component or service. On the other hand, an organisational psychosis can emerge e.g. obsessive benchmarking, that delivers only diminishing returns and which diverts scarce resources from other perhaps more vital activities like product development, marketing and sales. More dangerous still, focus is directed to the internal rather than on the external where existential risks can emerge.
What to make then of the โAutomationโ mania currently sweeping the service sector, driven by the hype of the โAIโ free lunch.
Internet Productivity = Zipless; โAIโ Productivity = Zipplus?
The above graph of Australian Labour Productivity since the turn of the millennium aligns approximately with the โinternet ageโ. It is โpretty ordinaryโ as per the local vernacular.
This suggests that I.T. expenditure is approximately 5% of Australian GDP and it is suggested by the same source, Gartner, that this percentage will continue to increase. In the assumption that this category of expenditure has been 3%-4% percent of GDP over the period of interest (2003-2025) in Australia, it could be said that it is difficult to see how this expenditure has had a positive effect on wealth creation i.e. improved output per unit of input. Perhaps it has been acting against other frictions that have been working to reduce wealth creation. What might be those frictions? Are they generated by the previous systems (โtech debtโ is the common expression) built by previous I.T. investment and accompanying practices?
It should be noted that it not just the Australian economy, as pointed out by Krugman and Gordon, in which productivity improvement from information technology investment is hard, if not impossible, to find.
Exceptions, on exceptions, on exceptions etc.
In the case study, the following is claimed:
โMonth-end stress often traces back to a single operational truth: invoices that cannot post without human intervention. Exceptions stall payments, distort accruals, and absorb analyst time that should go to forecasting and vendor performance reviews.โ
The article then explains how to reduce the impeding exceptions that militate the automation of the process. It might be sardonically observed:
The resources will never exist to perform this work (it will always be the last item on the backlog).
The initial work generates an outcome that demands further, continuous work thus cost and therefore little productivity improvement.
It is therefore probably easier and cheaper to employ somebody to tidy up the exceptions and therefore handle the entire process when not so occupied.
This case study well illustrates the potential false promise of productivity gains through I.T. investment in service sector activities. Consider:
Complex data-processing systems accrete โexceptionโ conditions.
The cost of the removal and automated handling of โexceptionsโ exceeds the cost of tolerating the โexceptionsโ.
Overtime the data-processing systems โrotโ through the accretion of exceptions and efforts to mitigate the effects of those exceptions; in competitive markets, an enterprise must respond or face the consequences. In the public sector or the regulated service sector, this process can continue effectively ad infinitum as the incentives for a reset solution do not exist. The organisation therefore becomes more inefficient as the rotting systems require more and more expense to maintain their functionality. Hence, productivity declines.
In addition, regulators insist on the introduction of new complexities into these rotting systems, which perhaps while justified, further add and entrench exceptions thus increasing the cost of outputs.
Easing Exceptions โ an opportunity, a test for โAIโ
What if there was a mechanism to eliminate the “exceptions” that bedevil rotting data-processing systems or significantly reduce the cost of maintenance of โexception handlingโ in those systems?
Is this an opportunity for “AI” technology and associated practice? Is “AI” really the step-change up from other available mechanisms as proponents claim?
Applied to the case study, the argument for “AI” is that a relatively inexpensive and pliable โAIโ based function could be embedded in the invoice handling process to minimise the disruptive effect of malformed documents. This would enable the implementation of an automated system. Existing staff could be more gainfully employed and any growth in volumes handled by the automation without further expense.
The economics might suddenly work.
In this context, two methods exist to best examine opportunities within the organisation: cybernetics – to identify the complex data flows within systems and activity-based accounting to identify associated value and cost.
Pesky Customers โ who needs โem?
Figure 2. Customers, what customers?
Monopolists and oligopolists in the Australian economy e.g. Big Tech and banks, comfortable in their privileged market position, seem particularly tempted to outsource their customer interactions to “AI” technology.
If “AI” can handle most of the “exceptions” why bother with those outside the scope of such solutions? Let the customers step into line.
Given that exception conditions are particularly frequent at the interfaces between processes this tendency, from a cost perspective is understandable. However, an issue for regulators and boards of increasingly insular corporates, hidden from customers behind walls of technology in silos of groupthink will be whether โexceptionalโ customers and cases will continue to be worthy of attention.
Given that an organisation may wish to make an informed decision about their cyberdefence concerns, the following approach can deliver a coherent evaluation.
In the APRA practice guide, CPG 235, a โfractalโ primitive of data processing is defined. This logical data-life cycle โprimitiveโ suggests the following cybersecurity concepts:
Perimeter protection โ a component of data-capture
Zero-trust โ data processing, retention and publishing
Data Centric Security โ data processing, retention and disposal given that publication suggests outputs beyond the domain into the data-capture of a related data process.
Figure 1. CPG 235 Data Processing “Fractal” PrimitiveFigure 2. CPG 235 Data Processing “Fractal” primitive, decomposed to the next level of resolution.
A simple business plan can be created for each “primitive”, described by cybernetic analysis estimating the cost of risk mitigation and the contingent provision required in the event of a catastrophic event. Some of the details required for this exercise may already be present as they are an output from other work e.g. privacy impact assessments.
Figure 3. Illustrative “business plan” with expenditure and provisions. Variables including time-scales, line-item detail can be adjusted as required by circumstances.
Expenditure in tooling and expertise etc. can then be allocated to the protection of these assets, the data processed and the supporting infrastructure, ranked by the cost of remediation of a catastrophic event.
Such existing sophistication or its elements already exist in many entities, for example, financial institutions but can be replicated or adapted to be of use in more modest circumstance. The analysis can be either as high or as low in resolution as required.
Through a focus on monetary values, matched to the charts of account or financial plans, the argument for cyberdefence investment can be made more easily to managerial colleagues from non-IT disciplines.
To complete the exercise, a test against contemporary jurisdictional regulation can be conducted through examination of the scheme of expenditure. Given that incidents will always occur, the question can be asked: โIs this a reasonable response that would be deemed a prudent act of stewardship when viewed by internal and external parties?โ.
In conclusion
The outlined approach, where the questions “Why” and “What” are separated from the “How” enables an informed consideration and thus decision-making framework for the deployment of cyberdefence. Communication between management disciples is facilitated and measurable financial outcomes can be identified and subsequently evaluated for future refinement of the domain e.g. technology upgrade, process automation.
Cyber Defence – Protecting the productive assets of the organisation. The Why, What and How.
iTWire โReadsโ
Cyber Security
Cyber and โAIโ
All
Totalled โReadsโ
8,618
12,923
21,124
Percentage โReadsโ
40.80%
61.18%
100.00%
Figure 1. well illustrates that which exercises the readership of iTWire in the most recent week considered. Cybersecurity and โAIโ are aggregated as, in the articles published, there is nearly always a reference to the โcybersecurityโ construct in โAIโ articles. Articles on โAIโ that explicitly do not have been excluded.
Why is cybersecurity (for this purpose, consider cybersecurity as the means to achieve cyber defence the business function – the protection of company assets). worthy of such attention? Perhaps it is not, depending on your point of view: โFormer Optus CEO lands top role at Australian Unityโ
Managing Cyberdefence
What is the appropriate response of an organisation to the risk of cyberattack? Simplistically categorised, possible approaches are as follows:
Ignore or rationalise and tidy up the mess if the worst comes to the worst
Do as little as possible given the regulatory framework in the jurisdictions of concern
Proactively embed defences within the organisation at points of vulnerability with reference to the balance sheet of technological assets within the purview of the organisation.
The judgement to be made, is whether the cost of the โmitigationโ e.g. insure, engineer of the risk, outweighs or not the cost of the clean-up e.g. provision for contingent expenditure on the balance sheet. Imperatives within the public sector and institutions maybe differently expressed but let us say are of the same general form.
Sometimes, the cost of mitigation will be so high within the strict if not reasonably interpreted parameters of the legislation e.g. EU:GDPR, that Number 2 will be out of reach even with a well-orchestrated Number 3 approach.
Number 2 will do
Consider the โEnforceable Undertakingโ imposed by the OAIC against the Commonwealth Bank of Australia, a singular institution within the nation. It can be argued that compliance to the APA 1988 requires, as a pre-requisite, secure data handling. It is unclear whether the CBA was negligent or ignorant of the consequences of this assertion viewed against the position of the regulator. Was it cheaper to fix up the mess or to take a priori, as is clear in the language of the regulator, reasonable steps to protect the interests of the individual as manifested in their personal information.
Number 3 the place for me
Nothing can be taken for granted, let alone a presumption of 100% protection against cyberattack given the continuously evolving eco-system of actors within the domain.
How to spend the money? Even with the most diligent attention, existential threats are likely to emerge from the set of low-frequency, high impact events that are often (Nicholas Talebโs โThe Black Swanโ) unconsidered or discounted.
Emerging constructs, such as โzero-trustโ, โdata-centric protectionโ and โAIโ informed protections may offer the Chief Information Security Officer (โCISOโ) an expanded portfolio of focused, granular and thus more efficient means of defence than previously available.
What do the Signals say?
Australian GDP in 2025 is approximately AUD2.7 trillion per annum in the year 2024 to 2025.
The Australian Signals Directorate (โASDโ) produces an annual commentary report on its activities; from this report 2024-2025:
โThe Australian Signals Directorateโs Australian Cyber Security Centre (ASDโs ACSC) responded to over 1,200 cybersecurity incidents โ an 11% increase from last year. In FY2024โ25, ASDโs ACSC received over 84,700 cybercrime reports โ an average of one report every 6 minutes. For businesses, the average self-reported cost of cybercrime per report was up 50% overall ($80,850).โ
A calculation from these reports suggests that the cost of cybercrime during the year was 84.700 * AUD80,850 = AUD6.8 billion, so say circa 0.26 percent of GDP.
AUD6.8 billion is quite a lot of money but not a particularly significant percentage of GDP. It may not be sufficient to cause a noticeable reduction in productivity growth. Paradoxically, the attention required for the protection of data assets may deliver value, tangible or unseen within the profile of information technology and other business costs.
Cyber Defence Budgets in Australia โ What is known?
An estimate for the investment on cybersecurity in the Australian economy is AUD5 billion per annum, sourced from AustCyber. It has been asserted without a statement of evidence that this amount needs to increase to AUD10 billion.
The key question raised appears to be whether the known or unknown unknowns of โAIโ technology adoption will drive increased cyberdefence expenditure in entities outside those focused on the development and deployment of information technology itself.
The total cost to the Australian economy of cyberdefence is therefore, at best an estimate, around AUD10billion (not including the suggested increase referenced above) โ cost of crime remediation plus investment. This is circa 0.45 percent of Australian GDP in 2025. A rough-cut estimate is that cybersecurity constitutes 4-5 percent of Australian I.T. spending. This proportion might change given the current wave of data centre infrastructure spending or not.
There are a number of questions left unanswered by the ASD report that might assist determining the most effective future path of โI and Eโ on cyber defences:
What is the existing โI and Eโ in cyberdefences in the economy by sector? How effective is this cost in the prevention of remedial expense in these sectors?
What improvement โ reduction in the cost of reported cybercrime โ could be expected by increased โI and Eโ in cyberdefences? What is the relationship between these two variables? How best to deploy further investment? i.e. idiomatically, Any low-hanging fruit, best-bang-for-the-buck.
How can โI and Eโ be streamlined to meet current threats outside a provision for significant increases in the destructive efficiency of cyberattacks? How are these two concerns inter-woven?
Who is doing Number 1, Number 2 and Number 3? In which sectors of the economy? In which sectors of the economy is cyberdefence a significant productivity friction?
In Conclusion
Cybersecurity appears to be a focus of strong interest in the iTWire community. It is possible to estimate the current overall โI and Eโ of cybersecurity and the cost of cyberattacks in the Australian economy with reasonable confidence but more analysis is required to determine the efficiacy of current expenditure and the most effective ways in which money can be spend in the future in the performance of cyberdefence.
The picture is complicated by the arrival of emerging technology categories of cybersecurity tools and โAIโ technology in both sides of the conflict.
In our next article, an approach is considered that can deliver an understanding of the efficacy of cyberdefence โI and Eโ, assist in the discussion of the domain across non-IT management dsiciplines and enable the informed deployment of new technology and methods in the protection of productive organisational assets.
