Tower Bridge - seen from the Tower of London - April 2026

The Many Faces of the Security Poverty Line

cloudsecurity , ai-research

Note: This post is from a research question I presented to Claude about Security Poverty Line, and where specific companies live in various security socio-economic classes. If it feels AI written, because much of it was.

The diagnosis we got right, and the discourse it produced

In 2011, Wendy Nather coined the Security Poverty Line while at 451 Research, and formalized it in her 2013 RSA presentation “Living Below the Security Poverty Line: Coping Mechanisms."1 The idea was simple: there is a threshold of resources, expertise, and influence below which an organization cannot adequately defend itself, no matter how much it wants to. Below that line, you don’t have the budget, you can’t hire the staff, you lack the expertise to evaluate vendor claims, and you have no leverage with vendors, regulators, or auditors. You take what your providers give you.2

Fifteen years on, the concept has been picked up by Cisco (as a “human rights” framing3), the Cyber Threat Alliance, vendor risk specialists, and venture-funded security researchers writing about market failure.4 Nather herself has expanded it well beyond money to include expertise, capability, and influence, and she has pushed back hard on the “just do the basics” trope: “If the basics were easy, they would already be done. Asset inventory, change management, and access control sound simple on paper, but they are extremely hard in modern environments."5

What the discourse has not done in fifteen years is develop the rest of the class structure. The conversation remains stubbornly binary: above the line or below it. Haves or have-nots. The cyber 1% or everyone else.6

This is the same mistake economists have been making about poverty for sixty years, and we ought to learn from it.

What Michael Green’s “Valley of Death” actually tells us

In November 2025, Michael Green published a piece titled “Part 1: My Life Is a Lie” arguing that the US poverty line — calculated as three times the cost of a minimum food diet in 1963, adjusted for inflation — has become a measurement of starvation rather than a measurement of inadequacy.7 Green’s argument runs roughly:

The 1963 formula assumed food was about a third of household spending. Today food at home is 5-7%. Housing is 35-45%. Healthcare is 15-25%. Childcare for families with young children can be 20-40%. If you keep the original methodology and update the food share, the multiplier is no longer three. It is sixteen. The honest poverty line for a family of four today is somewhere between $130,000 and $150,000, not the official $31,200.8

The structural consequence Green calls the Valley of Death. Means-tested benefits are designed to catch people at the very bottom and they cliff hard as income rises. A family climbing from $35,000 to $100,000 loses Medicaid, loses childcare subsidies, loses SNAP, but inherits market-rate costs for all of those things. The $65,000 family is materially worse off than the $35,000 family. The state gave the $35,000 family a life vest. The state told the $65,000 family they are now a “high earner” and tied an anchor to their ankle called “Market Price."9

Green’s frame produces several concepts worth borrowing wholesale:

  • Participation tickets: the inescapable costs of being a functioning economic actor, distinct from the cost of luxury.
  • Super-cooled water: a family with $79k of fixed costs on $80k of income looks stable but is one shock away from instant freezing.
  • Phase change vs. mean reversion: falling below the line isn’t a temporary dip; it’s a state change (bankruptcy, eviction, credit destruction) with its own latent heat. Recovery requires exponentially more energy than the fall.
  • Altruism is a function of surplus: people in the Valley resent people below the line not because they lack empathy, but because they cannot afford it.

The argument is American in its specifics — means-tested benefits cliffing, privatized healthcare, market-rate childcare, student debt — but the structure of it generalizes. There is a measurement we use to identify crisis, there is a much higher threshold of actual self-sufficiency, and in between there is a population that is invisible to both the support apparatus and the cultural narrative because it appears, on paper, to be fine.

Mapping economic class onto security maturity

There is no clean, agreed definition of “middle class” in the US. Three competing definitions are in active use, and they give meaningfully different answers:

The academic sociology answer (Gilbert/Thompson/Hickey): the upper middle class is roughly 15% of the US population, defined by occupation and education rather than just income.10 Highly salaried professionals — judges, senior military officers, engineers, professors, architects, airline pilots — whose work enables above-average autonomy. The defining feature is professional autonomy and educational credentials, not the dollar figure.

The Pew income-band answer: middle class is 2/3 to 2x the median household income. For a three-person US household in 2022 dollars, that was roughly $56,600 to $169,800.11 Above $169,800 you’re in the upper-income tier, which Pew estimates is about 19% of households.

The AEI broader-band answer: the upper middle class is households earning between $153,864 and $461,592 for a family of four — about 31% of US households, now the largest single income group.12 The “rich” by AEI’s count are about 3.7% of households, defined as households earning above $461,592 for a family of four.

The OECD provides the cleanest three-way split, which I think is the most useful for the security analogy: lower middle class is 75-100% of median, middle middle is 100-150%, upper middle is 150-200%.13 Apply that to US 2024 median household income of about $80k and you get:

  • Lower middle: $60k - $80k
  • Middle middle: $80k - $120k
  • Upper middle: $120k - $160k

Above $160k is no longer middle class in this framework. It’s high-income, and it overlaps with the entire region Green identifies as the “real” survival threshold.

The five-tier security class model

Once you accept that the binary breaks down, a five-tier model falls out naturally. I’ll name each tier and describe what it actually looks like operationally.

Tier 1: The Security Oligarchy (the 0.1%)

Google, Microsoft, Apple, Amazon, Meta, Cloudflare. Maybe a handful of others. These organizations don’t just defend themselves — they define what defense looks like for everyone else, across every vertical, because the infrastructure they operate (the OS, the browser, the cloud, the CDN, the identity layer) is the substrate everyone else runs on.

What distinguishes them:

  • They write the standards. Google’s Project Zero sets industry-wide disclosure norms. Microsoft’s MSRC shapes vulnerability handling expectations across the whole ecosystem. AWS’s defaults define what “good” looks like across every cloud deployment in the world. These aren’t vertical standards — they’re cross-vertical standards that everyone else inherits whether they want to or not.
  • They build, not buy. Internal tooling years ahead of anything commercially available. Google has BeyondCorp, Tink, gVisor. Meta has internal security infrastructure that would be a successful product company if spun out. Apple ships hardware security in silicon.
  • They hire the talent. Top security researchers gravitate to them because that’s where the interesting problems are and where the comp is. Everyone else competes for whoever didn’t make it through the Google interview.
  • They survive incidents. A breach that would bankrupt a smaller org is absorbed and disclosed in a blog post.

The word “Aristocracy” doesn’t fit because aristocracies inherit position from prior institutions. These companies didn’t inherit anything — they built their position from scratch over the last 25 years, and they govern the substrate the rest of the field operates on without consultation. That’s why “Oligarchy” fits: the defining feature isn’t just being rich, it’s governing infrastructure that everyone else has no choice but to use.

Tier 2: The Security Aristocracy and the 1%

The major banks (JPMorgan, Goldman, Bank of America), the major intelligence services (NSA, GCHQ, Unit 8200), F100 industrials, big pharma, top-tier financial regulators, and the most mature SaaS and infrastructure companies below the Oligarchy tier. The big banks and the intelligence services are the closest thing security has to an aristocracy — old institutions with inherited legitimacy, deep state ties, generational professional pedigree, and a culture that takes security seriously because they have always had to. The F100 industrials are the moneyed 1% — large security programs, real CISO peer networks, real maturity — but without the same depth of institutional security culture that banks and intel agencies have built over decades.

What characterizes the whole tier:

  • They set standards for their verticals, not for the cross-vertical ecosystem. Banking has its own standards (FFIEC, PCI at scale, SWIFT CSP, the bank-driven third-party risk regimes that vendors have to comply with). Healthcare has HITRUST. Critical infrastructure has its own. These standards are real and binding inside their sectors, and they shape vendor behavior, but they don’t define what security means for everyone else the way the Oligarchy’s choices do.
  • They consume what the Oligarchy builds, but they consume the best of what’s commercially available, and they can demand custom contracts and features from vendors, including the Oligarchs themselves. A major bank or intelligence service negotiating with Microsoft gets terms that mid-market customers never see.
  • They have real incident absorption capacity — balance sheets, legal teams, regulatory relationships, and political capital that mean a breach is a manageable event rather than a phase change.

Tier 3: The Security Upper Middle (the 10%)

This is the tier I’d put pre-AT&T WarnerMedia in. Real CISO and Deputy CISO. GRC team. BCP/DR team. ProdSec team. VM team. At least one Cloud Security Architect. A 24/7 SOC, even if it’s an MDR partnership. Real budget, real headcount, real programs. F500 (and at the time, possibly F100), but not industry-shaping.

The defining feature, borrowing from Gilbert/Thompson/Hickey: professional autonomy and credentialing. The CISO at this tier has discretion. They report to a real executive. They can pay their people enough to retain them. They have peer networks. They go to conferences, present at conferences. They are credentialed professionals doing autonomous work, and they aren’t living one decision away from termination.

They can take a few hits and be OK. Not every hit — a major nation-state campaign against them would still hurt — but the structural ones: a ransomware attempt, a phishing campaign that breaches one user, a misconfiguration in production. These are recoverable events, not phase-change events.

This is the tier that’s almost completely absent from the discourse. The Oligarchy talks about itself in research papers. The 1% talks about itself in CISO peer groups and ISACs. Below the poverty line gets advocacy from CISA, Sightline Security, the Ransomware Task Force. The upper middle just… shows up to BSides and gets back to work.

Tier 4: The Security Valley of Death

The 50-2,500 employee company with a small security team that has SOC 2, has tools, looks fine from the outside, and is one serious incident from a corporate phase change. This is the largest tier by population and the least discussed.

The cliff effects are real and they mirror Green’s benefits cliffs:

  • The SOC 2 cliff. A growing SaaS company gets a friendly nudge from a customer. They sign with Vanta or Drata, hire a fractional CISO for a few hours a month, pass SOC 2 Type I. From the outside they look fine. From the inside they have a checklist, an annual audit, and zero operational capability. They’ve crossed from “obviously poor” to “presumed self-sufficient,” but their actual security posture has barely moved. They’ve taken on participation costs (audit fees, tool licenses, policy maintenance, vendor questionnaire response) without gaining survival capability.
  • The first-hire cliff. A 300-person company hires its first security person. The board now believes security is “handled.” That person spends 100% of their time responding to security questionnaires, chasing developers for SOC 2 evidence, and putting out fires. They have no time to build a program. Their existence absorbs the organizational pressure that might otherwise have produced real investment. In some ways the org is worse off than if they had no security person at all — the gap is now invisible.
  • The tool-debt cliff. A 1,000-person company has accumulated CrowdStrike, Splunk, Wiz, Snyk, Okta, KnowBe4, and a dozen others because each was the answer to a specific board question or audit finding. The team of four can’t operate any of them properly. Participation costs (licenses, integration, vendor management, alert fatigue) eat the entire team. They have the appearance of a mature program and none of the underlying capability. They are super-cooled water.
  • The mid-market detection cliff. A 2,500-person regional bank has a 6-person security team. They have MDR, SIEM, EDR, vulnerability scanner, CSPM. They get 50,000 alerts a week. Real attacks are happening inside the noise, but no one has the time or analyst depth to find them. They will be breached and they know it. They’ve hit the wall.
  • The cyber insurance cliff. A company gets cyber insurance because a customer required it, or because the board asked. The premium and the renewal process become a participation tax. Cyber insurance has had a wild cycle: 2020-2022 was a “hard market” where ransomware losses pushed premiums up 50-100% in some segments, with drastic reductions in coverage limits and strict sub-limits for ransomware payments.14 Rates have since softened — global cyber rates declined 6% in Q3 2024 and continued declining into 202515 — but the underwriting tightening persisted. Insurers now require demonstrable cyber hygiene before binding coverage, with increasingly specific demands around MFA, EDR, backup posture, incident response readiness, and patch management.16 Policy language has tightened, with more sub-limits and exclusions, and CISO personal liability coverage has emerged as a new product line.17 The cliff isn’t that premiums always rise — they’ve actually been falling. The cliff is that the operational requirements baked into the renewal questionnaire have become a de facto compliance regime. The mid-market security team is now spending real time every renewal cycle producing evidence for the underwriter, and the controls the underwriter requires drive tooling decisions whether or not those tools are the right ones for the actual threat model.

Each of these cliffs has the structure Green identifies: an increase in effort or expenditure that triggers a participation cost larger than the capability gained. The org is materially less secure relative to its threat surface after each “investment.”

And the support ecosystem disappears for them, in exactly the way Green describes. CISA’s free resources are aimed at state, local, tribal, territorial governments and small critical infrastructure.18 MS-ISAC is for municipalities. Sightline Security is for nonprofits.19 The Ransomware Task Force focuses on critical infrastructure and small business. Microsoft’s nonprofit licensing and AWS’s nonprofit credits phase out at scale thresholds. CIS Controls Implementation Group 1 is targeted at small orgs with limited resources; IG2 and IG3 assume staffing and capability you don’t have.20 Once you have a security team — any security team — the industry treats you as a customer, not a constituency. You’re presumed self-sufficient. You’re expected to buy your way to security. There is no equivalent of Medicaid for the mid-market security team.

Tier 5: Below the Security Poverty Line

Nather’s original demographic. School districts, small municipalities, small nonprofits, small businesses, charities, regional hospitals. No security staff. Sometimes a contractor or MSP. Compliance is whatever the cyber insurance underwriter demands at renewal. The MSP’s idea of security is keeping the servers running.

This tier has the most named advocacy. CISA has programs aimed at it. Sightline Security exists for it. The Ransomware Task Force focuses on it. State-level cyber programs serve it. The diagnosis is honest and the framing is appropriate. But honest framing is not the same as adequate help. The lived experience of a school district IT director or a county clerk dealing with a ransomware incident is not that “advocacy exists.” It is that they are getting ransomed, the FBI is busy, the state cyber team is two people for the whole state, and the MSP they pay $80k a year to is hiding under the desk. The advocacy is real and the framing is right. The resources behind the framing are nowhere near sufficient for the scale of the problem. What this tier has that the others don’t is the right narrative. Whether that narrative produces enough material help is a separate, harder question.

The pan-Atlantic and Global South dimensions

The five-tier model holds across the developed world, but the shape of the Valley of Death changes by region.

Europe

The American Valley of Death is driven by means-tested benefits cliffing, privatized healthcare costs, market-rate childcare, and student debt. Europe has very little of this combination. European middle-class precarity has a different shape: wage stagnation, cost-of-living pressure, and what Brookings calls “the vulnerable class” — a third group between the middle class and the poor that “is not poor but still faces a high probability of falling back into poverty in the presence of a shock."21

The European Security Valley of Death is driven by regulatory cliffs rather than benefits cliffs. A German Mittelstand company that crosses 250 employees inherits NIS2 obligations.22 A UK firm that takes a US contract suddenly needs SOC 2 and ISO 27001 and possibly CMMC. A financial services firm gets DORA in 2025.23 Each of these creates participation costs that scale faster than the underlying security capability. The cliff is real, but it’s regulatory rather than economic. The upper-middle (10%) tier in Europe is more uniform than in the US because the regulatory pressure has forced convergence at scale; a Spanish utility’s CISO and a Dutch bank’s CISO operate similar programs.

The European middle class is also genuinely shrinking. EU data from 2006-2021 shows the middle class contracted in two-thirds of EU member states, with movement primarily downward into low-income.24 The European security middle class is shrinking by an analogous mechanism: as regulatory and threat-environment costs rise, the marginal capability of mid-market security teams declines relative to what’s expected of them. They aren’t moving up. They’re being squeezed into the Valley.

The Global South

A different problem entirely. The cybersecurity literature describes the Global South challenge as hollowness: weak or inadequate institutions, poor organizational and individual defense mechanisms, lack of standards, greater recruitment to cybercrime due to high unemployment and low wages, and a lack of capacity and legal frameworks to manage risks in the society.25 This is a state-capacity problem, not an organization-level problem. The state itself is below the security poverty line, which means every org inside it is operating without functioning legal framework, without national CERT capability, without a trained workforce pipeline.

When connectivity itself is a participation cost — a basic internet plan consuming up to 10% of monthly income in Bangladesh, 4-10% in Nigeria26 — security is structurally a luxury good. Cyber capacity building programs from the EU, World Bank, and UN try to address this with mixed success.27 The model needs an additional layer below Tier 5 to describe organizations that exist inside a country whose state has not crossed the security poverty line, where the absence of supporting infrastructure changes the equation entirely.

The “SOC 2 vs. actual security” analogy

This is where Green’s framing produces the sharpest analogy for what the security discourse keeps getting wrong.

In Green’s frame, “I make six figures” is a credentialing statement that the culture treats as a meaningful signal of economic security, but which on its own tells you nothing about whether you can survive a transmission failure, a broken arm, or a layoff. The credential and the underlying capability have decoupled. Income is measurable, so it’s what the discourse measures. Actual economic security is harder to measure, so it doesn’t show up in the conversation.

The security equivalents are everywhere:

Economic credential Security credential
Six-figure income SOC 2 Type II
Owning a home Having a CISO
401(k) Cyber insurance
Kids in private school Premium tooling (CrowdStrike, Splunk, Wiz)
Degree from a good school Team includes former NSA/Mandiant/Google folks

Each of these is a real signal. None of them measures the thing we actually care about.

The deepest version of the analogy: SOC 2 measures whether you can describe and document a security program. It does not measure whether that program works. The auditor cannot tell you whether you would survive a real attack. They can tell you whether you would survive an audit. We’ve built a whole industry around conflating those two questions, and the orgs that suffer most are the ones in the Valley of Death — because for them, the credential is the only signal the market sees, and the underlying capability is invisible.

What this gives us as a model of the present

The security industry talks about itself with two strong narratives.

One is sympathy for the orgs below the poverty line. This isn’t an abstract framing — it’s a well-resourced program of corporate philanthropy and public-facing rhetoric from the largest vendors. Cloudflare’s Project Galileo has provided free Enterprise-tier protection to 2,900+ at-risk public interest organizations since 2014, expanded into Zero Trust in 2022, and was framed explicitly as bringing tools “previously only available to large enterprises” to “those most in need."28 Cloudflare’s Athenian Project does the same for state and local election sites. Microsoft AccountGuard offers free threat notification to qualifying high-risk groups.29 AWS, Google, and Microsoft all have nonprofit programs that subsidize tooling for orgs below a certain size. Cisco’s leadership has framed cybersecurity capability for the under-resourced as a “human rights” issue.30 All of this is real, it is publicly trumpeted by the vendors involved, and it generates significant earned media. The narrative produces real action, even if the action is not proportionate to the scale of the problem.

The other narrative is aspirational identification with the Oligarchy. Every Mandiant breach report, every Google Project Zero disclosure, every CrowdStrike threat intel briefing that gets retweeted teaches the field to look upward and emulate. The Oligarchy talks about itself in research papers and conference keynotes. The Tier 2 Aristocracy and 1% talks about itself in CISO peer groups and ISACs. Below the poverty line gets named advocacy from CISA, Sightline Security, the Ransomware Task Force, and the various corporate philanthropy programs.

The upper middle (the 10%) and the Valley of Death sit in the middle and don’t have a coherent narrative. The 10% just shows up to BSides and gets back to work. The Valley of Death is the most populated tier in the entire field and has the least articulation. It’s embarrassing for the 10% to be confused with the Valley below it. It’s embarrassing for the Valley to admit it isn’t at the 10%. Neither group has nonprofits advocating for it. Neither has a vendor philanthropy program designed for it. Neither has a conference circuit that addresses its specific structural problem, because that problem is “we have a program and it doesn’t work and we don’t know why” — a story nobody wants to tell publicly.

The structural reality is that most organizations are in the Valley. Most security professionals work in the Valley. Most breaches happen in the Valley. The Oligarchy and the Aristocracy absorb their incidents and move on. The orgs below the poverty line get ransomware’d and get help from CISA, sometimes. The Valley gets ransomware’d, the cyber insurance gets renewed at worse terms, the CISO updates LinkedIn, and the company spends 90 days in IR while their competitors win the deals.

That is the present we are in. What the field calls “the security poverty line” is real, but it is one boundary inside a much wider structure that has been left mostly undescribed.

Footnotes and Sources

  1. Wendy Nather, “Living Below the Security Poverty Line: Coping Mechanisms,” RSA Conference 2013. Original 2011 coinage at 451 Research. Slide deck (PDF): infosecuritymagazine.nl. Referenced in numerous later discussions including the United States Cybersecurity Magazine retrospective: https://www.uscybersecurity.net/csmag/the-cybersecurity-poverty-line/ ↩︎

  2. Wendy Nather’s expanded framing of the four dimensions (budget, expertise, capability/influence, and the inability to negotiate with vendors) covered in The Register’s coverage of her work at Cisco: https://www.theregister.com/2022/06/06/cisco_security_rsa/ ↩︎

  3. Jeetu Patel’s framing of cybersecurity as a human rights issue, building on Nather’s concept. The Register, June 2022: https://www.theregister.com/2022/06/06/cisco_security_rsa/ and Cisco’s own framing at https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2023/m01/breaking-the-cycle-of-security-poverty.html ↩︎

  4. Ross Haleliuk and Chris Hughes at Venture in Security have written extensively on the vendor-economics consequences of the security poverty line. See also the Cyber Threat Alliance 2024 panel with Nather, Joe Levy, and Michael Daniel. ↩︎

  5. Wendy Nather interview on Scrut.io’s Risk Grustlers podcast, Episode 20: https://www.scrut.io/post/risk-grustlers-ep-20-the-security-poverty-line ↩︎

  6. Kenna Security’s 2022 piece is the cleanest written articulation of the “cyber 1%” framing: https://www.kennasecurity.com/blog/why-the-security-poverty-line-affects-us-all/. The framing pairs naturally with Dan Kaminsky’s longstanding argument that defensive capability has consolidated at the top of the market; see his 2016 Black Hat keynote “The Hidden Architecture of Our Time.” ↩︎

  7. Michael W. Green, “Part 1: My Life Is a Lie: How a Broken Benchmark Quietly Broke America,” Yes, I give a fig…, November 23, 2025: https://www.yesigiveafig.com/p/part-1-my-life-is-a-lie ↩︎

  8. Michael W. Green, “Part 1: My Life Is a Lie: How a Broken Benchmark Quietly Broke America,” Yes, I give a fig…, November 23, 2025: https://www.yesigiveafig.com/p/part-1-my-life-is-a-lie ↩︎

  9. Michael W. Green, “Part 1: My Life Is a Lie: How a Broken Benchmark Quietly Broke America,” Yes, I give a fig…, November 23, 2025: https://www.yesigiveafig.com/p/part-1-my-life-is-a-lie ↩︎

  10. Dennis Gilbert, William Thompson, and Joseph Hickey, summarized in Wikipedia’s overview of the upper middle class in the US: https://en.wikipedia.org/wiki/Upper_middle_class_in_the_United_States ↩︎

  11. Pew Research Center’s middle-class definition (2/3 to 2x median household income). See SmartAsset and North American Community Hub summaries of the 2022/2023 data: https://nchstats.com/us-state-income-for-middle-class/ ↩︎

  12. American Enterprise Institute analysis cited in CBS News, April 2026: https://www.cbsnews.com/news/upper-middle-class-income-us-what-it-takes/ ↩︎

  13. OECD definition of middle-income households (75% to 200% of median, split into lower/middle/upper). Euronews summary: https://www.euronews.com/business/2024/03/01/where-does-the-middle-class-pay-the-highest-and-lowest-tax-in-europe and the OECD’s own report “Under Pressure: The Squeezed Middle Class” (2019): https://www.oecd.org/content/dam/oecd/en/publications/reports/2019/05/under-pressure-the-squeezed-middle-class_f3fa7167/689afed1-en.pdf ↩︎

  14. Cyber insurance hard market (2020-2022) with 50-100% premium increases and sub-limits on ransomware, summarized in DeepStrike’s 2025 cyber insurance market overview: https://deepstrike.io/blog/cyber-insurance-statistics-2025 ↩︎

  15. Marsh Global Insurance Market Index Q4 2024 and 2025 updates showing sustained rate declines: https://www.marsh.com/en/services/cyber-risk/insights/cyber-insurance-market-update.html and https://www.marsh.com/en/services/cyber-risk/insights/cyber-market-update-q4-2024.html. Fitch Ratings analysis at https://www.reinsurancene.ws/us-cyber-insurance-market-remains-profitable-amid-slower-growth-in-2024-fitch/ ↩︎

  16. Fitch Ratings and S&P Global Market Intelligence analysis of cyber insurance underwriting tightening, including hygiene requirements, sub-limits, and exclusions even as rates have softened. Summarized in Beinsure’s 2024-2034 outlook: https://beinsure.com/cyber-insurance-market-outlook/. See also the NAIC’s 2025 Report on the Cybersecurity Insurance Market: https://content.naic.org/sites/default/files/inline-files/2025_Cybersecurity_Insurance%20Report.pdf ↩︎

  17. CISO liability coverage as an emerging product line and the broader regulatory pressures (SEC disclosure, DORA, state privacy laws) driving coverage expansion: TechTarget summary of 2025 cyber insurance trends: https://www.techtarget.com/searchsecurity/tip/Cyber-insurance-trends-What-executives-need-to-know. American Academy of Actuaries on the cyber insurance market’s inflection point: https://actuary.org/article/cyber-insurance-nears-an-inflection-point/ ↩︎

  18. CISA’s resources are explicitly targeted at SLTT (state, local, tribal, territorial) governments and small critical infrastructure: https://www.cisa.gov/topics/cybersecurity-best-practices/organizations-and-cyber-safety ↩︎

  19. Sightline Security, the nonprofit focused on securing nonprofits, where Wendy Nather serves on the board. ↩︎

  20. CIS Controls Implementation Groups are documented at https://www.cisecurity.org/controls/implementation-groups. IG1 is the baseline for orgs with limited resources; IG2 and IG3 assume capabilities the Valley of Death tier rarely has. ↩︎

  21. Brookings on the European “vulnerable class”: https://www.brookings.edu/articles/is-there-a-middle-class-crisis-in-europe/ ↩︎

  22. NIS2 Directive (EU 2022/2555) brings significantly more mid-market entities into scope than its predecessor NIS1. The 250-employee threshold and sector-based “essential/important entity” classification produces a sharp regulatory cliff for European mid-market companies. ↩︎

  23. DORA (Digital Operational Resilience Act, EU Regulation 2022/2554) entered force January 2025, applying to financial entities and their critical ICT third-party providers. ↩︎

  24. Eurofound, “A snapshot of income inequality and middle class across the EU”: https://www.eurofound.europa.eu/en/publications/all/snapshot-income-inequality-and-middle-class-across-eu and the related CEPR column: https://cepr.org/voxeu/columns/picture-income-inequality-and-middle-classes-across-eu ↩︎

  25. The “hollowness” framing of Global South cybersecurity comes from work in Third World Quarterly: https://www.tandfonline.com/doi/full/10.1080/01436597.2017.1408403 ↩︎

  26. Georgetown Security Studies Review on the global digital divide and information poverty: https://gssr.georgetown.edu/the-forum/topics/technology/the-global-tech-divide-how-the-digital-revolution-is-leaving-some-of-us-in-the-digital-dark-ages/ ↩︎

  27. Cyber capacity building literature is surveyed in Calderaro and Craig’s “Transnational Governance of Cybersecurity”: https://cybilportal.org/wp-content/uploads/2020/10/CalderaroCraigTWQ_Transnational-governance-of-cybersecurity-policy-challenges-and-global-inequalities-in-cyber-capacity-building.pdf. See also the EUI’s work on EU-Global South cyber cooperation: https://www.eui.eu/news-hub?id=building-cyber-capacity-with-the-global-south-for-a-secure-digital-future ↩︎

  28. Cloudflare’s Project Galileo overview and 10-year retrospective: https://www.cloudflare.com/galileo/ and https://blog.cloudflare.com/celebrating-10-years-of-project-galileo/. The “previously only available to large enterprises” framing is from Cloudflare’s 2022 press release on free Zero Trust for at-risk groups: https://www.cloudflare.com/press/press-releases/2022/zero-trust-security-free-galileo-athenian/ ↩︎

  29. Microsoft AccountGuard, free threat notification for political campaigns, NGOs, and other high-risk groups: https://www.microsoftaccountguard.com/en-us/ ↩︎

  30. Jeetu Patel’s framing of cybersecurity as a human rights issue, building on Nather’s concept. The Register, June 2022: https://www.theregister.com/2022/06/06/cisco_security_rsa/ and Cisco’s own framing at https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2023/m01/breaking-the-cycle-of-security-poverty.html ↩︎