That is the topic of my latest Bloomberg column, here is one part:
In economic terms, the private value of internet security is often less than the public value. A ransomware attack that results in only a slight decrease in profits for a business could translate into a major social inconvenience.
One consolation is that hackers will almost certainly “overfish” the pool of victims. At some point there will be so many attacks that most institutions will have no choice but to respond with significant defensive measures. The hackers themselves will accelerate this process, because each will try to maximize their profits before the game is over. Curiously, this means that a successful attempt to “slow down” the hackers could just delay the necessary adjustments that businesses need to make, leaving everyone worse off.
There is much more at the link.