Non-profit cybersecurity organisations are a foundational part of the global cyber ecosystem, yet their role remains systematically under-recognised and underfunded. This new HCSS report argues that these organisations provide essential public-interest security functions that governments and commercial providers cannot fully deliver on their own.
The report by Hans Horan, Ron Stoop and Jan Feldhusen finds that non-profit cybersecurity actors play a critical role in threat intelligence sharing, incident response coordination, standards development, capacity-building, and support for vulnerable communities. Their work helps reduce harm, strengthen cyber resilience, and sustain the shared infrastructure and protocols underpinning the global digital economy.
The study also highlights a growing cyber resilience gap between large organisations and SMEs. While larger firms increasingly have the resources to strengthen their cyber posture, many smaller organisations remain structurally disadvantaged by limited budgets and staffing shortages. Non-profit cybersecurity organisations help fill this gap by providing services and expertise that would otherwise remain inaccessible.
Using a counterfactual methodology, the report estimates that replacing non-profit cybersecurity services with commercial alternatives could cost hundreds of millions of dollars, while the harms these organisations help prevent amount to billions in avoided losses. The infrastructure and coordination mechanisms they sustain also underpin economic activity worth hundreds of billions globally.
According to main author Hans Horan: “Non-profit cybersecurity organisations are not peripheral charitable actors. They are highly effective providers of public-interest security that help keep the global digital ecosystem functioning safely and resiliently.”
The report warns that continued underfunding risks weakening critical cyber resilience functions worldwide. It recommends that governments establish dedicated multi-year funding streams, formally integrate non-profit actors into national cybersecurity strategies, and create rapid-response funding mechanisms for major cyber crises. It also calls on industry to adopt standing norms for financially supporting the sector.
Co-author Ron Stoop adds: “The policy question is no longer whether these organisations matter, but whether a robust and equitable cybersecurity system remains possible without them.”
Authors: Hans Horan, Ron Stoop and Jan Feldhusen
Quality Assurance: Paul Sinning
The research was commissioned by the Common Good Cyber and executed by The Hague Centre for Strategic Studies (HCSS). Responsibility for the contents and for the opinions expressed, rests solely with the authors.
Related Content
