Benjamin Mossé Thinking in systems. Reasoning from evidence and logic.

What Would a Credible Cybersecurity Professionalization Body Cost?

25 Mar 2026

A professionalization body that wants to operate credibly needs enough money to govern independently, audit meaningfully, and enforce standards.

If it is underfunded, it may still exist institutionally, but it will struggle to operate credibly.

A Monte Carlo model of a hypothetical cybersecurity professionalization body suggests that credible operation is likely to require millions of dollars per year in operating capacity.

A credible professionalization body should have the following characteristics:

  • independent governance
  • capacity to audit
  • capacity to investigate complaints
  • capacity to escalate and enforce

Across 50,000 simulations, annual expenditure most commonly clustered between AUD 3 million and AUD 5 million, while annual membership fees most commonly fell between AUD 500 and AUD 800.

These estimates were lower than the average upper-bound fee of AUD 1,236.34 observed among PSC-regulated associations in Australia, but still materially higher than the low-fee assumptions often implied in public discussions.

Together, the results suggest that meaningful governance, auditing, and enforcement may require substantially more funding than commonly assumed.

Problem Statement

Cybersecurity professionalization schemes are increasingly proposed as a mechanism to improve workforce quality, standardize competencies, and protect the public. These schemes typically rely on accreditation, certification, and ongoing oversight of practitioners and training providers. However, the effectiveness of such systems depends not on their stated objectives, but on their ability to operate independently, assess compliance rigorously, and enforce standards when breaches occur.

The literature on professional regulation raises significant concerns about whether such bodies can consistently meet these requirements.

In Cartels by Another Name, Rebecca Haw Allensworth argues that licensing boards composed of active market participants have structural incentives to restrict competition and act in their own economic interest rather than the public interest.

This concern is reinforced in Antitrust Scrutiny for the Occupations, where she highlights the importance of active supervision to mitigate the risks identified in the North Carolina State Board of Dental Examiners v. FTC decision.

Together, these works establish that independence and oversight are not optional features, but necessary conditions to reduce the risk of regulatory capture.

At the same time, Allensworth’s more recent work highlights a second, less discussed failure mode: weak enforcement.

In Doctors Playing Lawyers, she shows that professional discipline is often delegated to members of the same profession, even in high-stakes contexts, creating a risk of under-enforcement.

Similarly, in The Hypocrisy of Attorney Licensing, she argues that licensing regimes frequently justify barriers to entry on public protection grounds, yet fail to remove or meaningfully sanction poor performers once they are admitted.

These findings suggest that professionalization systems can be simultaneously restrictive at entry and ineffective in maintaining standards, particularly when disciplinary capacity is limited.

These structural risks are amplified when professionalization bodies lack sufficient resources. Without adequate funding, organizations are constrained in their ability to maintain independent governance, employ full-time staff, conduct meaningful audits, and investigate complaints to the point of enforcement. In the absence of such capacity, professionalization risks becoming performative - focused on certification and signalling - rather than substantive in improving outcomes.

Despite these concerns, there is limited quantitative analysis of the economic requirements needed to operate a professionalization body at a level that avoids these failure modes.

In particular, there is a lack of models that capture the combined cost of administration, compliance, and enforcement, and that allow for the evaluation of trade-offs when funding falls below the level required for credible operation.

This gap makes it difficult to assess whether current or proposed schemes are capable of delivering on their stated objectives, or whether they are structurally constrained by underfunding.

Purpose of Research

This study argues that the credibility of a professionalization body is not determined only by its formal structure or public claims, but by whether it has the financial capacity to govern independently, audit meaningfully, investigate complaints, and enforce standards.

If those functions cannot be funded, the result may be a body that appears professionalized in form while remaining weak in substance.

Research Questions

For the purpose of this research, a credible professionalization body is defined as an organization capable of performing its stated functions in a consistent, independent, and enforceable manner.

This goes beyond symbolic accreditation or passive membership structures. It requires the ability to set standards, assess compliance, investigate issues, and take action where those standards are not met.

Credibility, in this context, is therefore operational rather than aspirational—it is reflected in what the organization can actually do, not what it claims to represent.

Question 1:

What is the plausible annual cost range for the credible operation of a professionalization body once administrative, compliance, and enforcement functions are fully accounted for?

Question 2:

What trade-offs arise when a professionalization body is funded below the minimum level required for credible administration, auditing, and enforcement?

Methodology

The following methodology was employed:

  1. Define a hypothetical professionalization body and the minimum functions it must perform credibly.
  2. Group the model into four cost dimensions: administration, compliance, enforcement, and governance.
  3. Assign each variable a minimum, most probable, and maximum value using empirical benchmarks where available and conservative assumptions where evidence was limited.
  4. Run 50,000 Monte Carlo simulations to generate a distribution of plausible annual cost outcomes.
  5. Identify the expenditure range most commonly associated with financial preconditions for credible operation.
  6. Compare the simulated funding requirements with the membership fees currently charged by professionalization bodies in Australia.

Model Design and Assumptions

The model assumes a professionalization body designed to operate credibly and independently. This includes a governance structure with full-time paid board members to reduce conflicts of interest and limit the risk of regulatory capture.

It assumes the organization has the capability to audit education providers against a recognized skills framework (e.g. SFIA or NIST NICE), ensuring that accredited courses meet defined competency standards.

The model also assumes the body can receive and investigate complaints, and escalate matters to formal enforcement or legal action where required.

This definition is normative and reflects the minimum functional requirements inferred from regulatory and legal literature.

The model may overestimate costs if minimum resourced operation consistent with credibility can be achieved with lower audit intensity, reduced enforcement activity, or part-time governance structures without increasing the risk of capture.

Model Variables

The model is based on a set of variables that capture the scale, cost structure, and enforcement dynamics of a professionalization body.

Sensitivity was assessed by examining how variation in each input affected total simulated cost across the 50,000 runs, with administrative fixed costs, audit intensity, and cost per audit showing the strongest influence on output variance.

  • Number of Members: Total number of individuals subject to the scheme. This is the primary scale driver of the model.

  • Compliance Cost per Member ($): Annual cost borne by each member, including time, documentation, and ongoing requirements.

  • Administrative Fixed Cost ($): Core operational costs of the body, including governance, staffing, and IT systems.

  • Administrative Variable Cost per Member ($): Additional costs that scale with the number of members, such as support, processing, and system usage.

  • Audit Intensity: Proportion of education providers audited annually.

  • Cost per Audit ($): Fully loaded cost of conducting an audit, including personnel and overhead.

  • Complaint Rate (%): Percentage of members generating complaints each year.

  • Cost per Investigation ($): Average cost of investigating a complaint.

  • Escalation Rate (%): Proportion of investigations that escalate to formal enforcement or legal action.

  • Cost per Legal Case ($): Cost associated with litigation, tribunal proceedings, or settlements.

  • Board Size: Number of full-time paid board members responsible for governance.

  • Cost per Board Member ($): Annual fully loaded compensation per board member.

Each variable was modelled using a triangular distribution defined by minimum, most probable, and maximum values, as this approach is commonly used when empirical data is limited but bounded estimates are available.

A triangular distribution was preferred because several variables were bounded and judgment-based, making minimum, most probable, and maximum values easier to justify than parameters required by normal or log-normal distributions.

Parameter Ranges

Variables with empirical grounding:

  • number of members
  • administrative costs
  • board salaries
  • PSC association fees

Variables with assumptions:

  • complaint rate
  • escalation rate
  • audit intensity

Where empirical benchmarks were unavailable, conservative assumptions were used to avoid overstating cost estimates.

The member-count range was chosen to reflect plausible participation levels for an Australian cybersecurity professionalization scheme, from low early adoption to broader sector uptake.

Example

An example might help the reader better understand the model:

The figure above presents the output of a single Monte Carlo simulation from a total of 50,000 runs.

In this simulated financial year, the hypothetical professionalisation body had 3,956 members. To deliver its functions credibly, it operated with three full-time board members, conducted 15 audits of education providers to assess alignment with the body’s adopted skills framework, and received and investigated six complaints from members. Some of these matters escalated to legal action, although they were resolved relatively quickly.

Under this simulated scenario, the body required AUD 1,787,516 to operate during the financial year. This implied a required membership fee of AUD 451 per member to support credible delivery of its functions.

Although this simulation produced a functioning body on paper, its required fee of AUD 451 per member sits below the expenditure range most commonly associated with minimum financially credible operation in the full simulation set.

Limitations

The author of the model acknowledges the following limitations:

  • Reduced-form model with simplified variables
  • Some parameters rely on assumptions where evidence is limited
  • Regulatory capture is modelled indirectly, not directly (more paid board members the less risk)
  • Annual model only; no multi-year effects
  • Real-world audits and legal matters may vary more than the model captures

Findings

Finding 1: The model estimated that a professionalization body could cost between approximately AUD 800,000 and AUD 14,000,000 per year to run

The 50,000 Monte Carlo simulations produced the following estimated expenditure outcomes:

  • Minimum estimated expenditure: AUD 771,353.46
  • Average estimated expenditure: AUD 3,770,324.64
  • Maximum estimated expenditure: AUD 14,382,125.98

Finding 2: 74% of simulations produced annual expenditure estimates between AUD 3,000,000 and AUD 5,000,000

74% of the simulations generated a professionalization body that cost between AUD 3,000,000 and 5,000,000 to run:

These ranges were selected to summarize the modal concentration of simulation outcomes shown in the histograms.

Finding 3: The model estimated that the cost of annual membership fee estimates ranged between AUD 182.50 and AUD 3,333.67

The 50,000 Monte Carlo simulations produced the following estimated annual membership fees:

  • Minimum estimated annual membership fees: AUD 182.50
  • Average estimated annual membership fees: AUD 637.37
  • Maximum estimated annual membership fees: AUD 3,333.67

Membership fees are derived by dividing total simulated cost by the number of members in each simulation.

Finding 4: 74% of simulated annual membership fees fell between AUD 500 and AUD 800

74% of the simulations generated annual membership fees between AUD 500 and AUD 800:

These ranges were selected to summarize the modal concentration of simulation outcomes shown in the histograms.

Finding 5: The average upper-bound annual membership fee among PSC-regulated associations in Australia was AUD 1,236.34

The data collected from PSC-regulated associations in Australia shows that the average upper-bound membership fee is AUD 1,236.34:

Finding 6: The model’s most common membership-fee outcomes were 35% to 59% lower than the average upper-bound fee observed among PSC-regulated associations

A membership fee of AUD 500 is 59% lower than the average upper-bound annual fee, while a fee of AUD 800 is 35% lower.

This may suggest that the model does not overestimate costs relative to existing associations, although structural differences between domains should be considered.

The PSC comparison is used here as a rough external benchmark for the scale of professional association fees in Australia, not as a claim of direct institutional equivalence.

Discussion

The results of this model point to an uncomfortable conclusion: credibility is expensive.

Across the simulations, a consistent pattern emerges. A professionalization body that intends to operate with even a basic level of independence, oversight, and enforcement requires millions of dollars per year in operating capacity. This is not driven by excess or inefficiency, but by the fundamental cost of performing the functions that give the body legitimacy: governance, auditing, investigation, and enforcement.

This directly challenges the narrative that a credible scheme can be sustained on $100–$150 per year per member. At that price point, the model suggests a body would be structurally constrained. It may exist institutionally, but it would struggle to fund meaningful audits, investigate complaints at scale, or act independently from the very entities it is meant to regulate. In effect, it risks becoming a symbolic body rather than an operational one.

The gap between perception and reality is stark. While the lower-bound outcomes of the model cluster around $500–$800 per member per year, existing PSC-regulated associations average significantly higher fees. This may indicate that the model does not obviously overstate costs relative to the fee levels observed among existing associations, although structural differences between domains remain important. The implication is clear: under the assumptions of the model, maintaining lower fees would generally require a reduction in capability, scope, or independence.

This creates a fundamental trade-off that cannot be avoided. A professionalization body can be:

  • Affordable, but limited in its ability to enforce standards; or
  • Credible, but requiring materially higher funding.

Attempting to achieve both simultaneously, without redefining the model entirely, is unlikely to succeed.

More importantly, underfunding is not a neutral outcome. A body that lacks the resources to act decisively introduces second-order risks:

  • audits become infrequent or superficial
  • complaints are delayed or unresolved
  • enforcement actions are avoided due to cost or complexity
  • governance becomes more susceptible to capture or influence

Over time, this erodes trust not only in the body itself, but in the professionalization effort as a whole.

The policy implication is straightforward. If the objective is to create a cybersecurity profession that is trusted, accountable, and capable of self-regulation, then the financial model must be aligned with that ambition. If the financial model is constrained by a desire to keep fees artificially low, then expectations around enforcement, independence, and oversight must be reduced accordingly.

Under the assumptions of this model, no scenario produced minimum financially credible operation at minimal cost.

The choice is not whether to pay for professionalization. The choice is what kind of professionalization system is being funded.

Conclusion

This study provides a quantitative estimate of the cost required to operate a cybersecurity professionalization body with a baseline level of credibility. The results suggest that meaningful governance, auditing, and enforcement functions require materially higher funding than commonly assumed.

These findings are derived from a defined set of assumptions, input data, and simulation parameters. They are not presented as definitive, but as a structured attempt to model the problem transparently.

If there is disagreement with the conclusions, it should be directed at the model itself - its assumptions, variables, or underlying data. Those elements are open to scrutiny, refinement, and challenge.

The model can be replicated using the provided spreadsheet, which contains all variables and simulation logic.