A surprising factor driving preparation for quantum cybersecurity readiness

What makes some businesses more willing than others to start preparing for the cybersecurity upgrades that quantum computing will soon demand? 

When Toronto Metropolitan University (TMU) information technology management professor Atty Mashatan went looking for the reasons, she discovered a surprising answer.

In a research project that took a unique socio-technical approach to the quantum cybersecurity threat, professor Mashatan discovered an unexpected driver for the inevitable digital migration: the typically detested scenario of being stuck in a bad deal.

Vendor lock-in, the business term for dependence on a single provider for a product or service, tends to be perceived as a negative for any organization that experiences it. The reason? No one likes being reliant on a single option or product, especially one that ages poorly. Then there’s the fact that changing providers is often both costly and time-consuming.

However, the research found vendor lock-in actually has a very significant positive impact on an organization’s intentions to prepare for the cybersecurity changes powerful quantum computers will necessitate.

Organizations locked into a cybersecurity vendor understand the impediment

As professor Mashatan explained, organizations locked into a single cybersecurity vendor understand the impediment they face and use it to incentivize their intent to prepare. 

“This is very counterintuitive, because usually when companies are in a vendor lock-in situation, it means they don't have their act together,” she said. “The companies we got the empirical data from, if they felt they were in a vendor lock-in situation, they're actually starting their quantum migration plans sooner.”

The paper is based on a survey of businesses from North America, the European Union and the United Kingdom.

An industry-seasoned cybersecurity expert, director of TMU’s Cybersecurity Research Lab and Canada Research Chair in Quality of Security Framework for Internet of Things, professor Mashatan is acutely aware of the cybersecurity threat posed by cryptographically relevant quantum computing (CRQC) – machines that will be able to solve encryptions too complex for classical computers.

“Once we have a cryptographically relevant quantum computer, the current cryptography is going to be broken,” she explained. “That means we need to transition to what we call post-quantum cryptography, or quantum-resistant cryptography.”

Even though CRQC machines are still being developed, professor Mashatan counsels organizations to overcome barriers and start preparing for the inevitable, rather than waiting and reacting.

“Things are evolving really, really quickly,” she said. “The time to act is now. You need to establish governance. You need to have inventory. Where is your cryptographic footprint? What are your crown jewels, the assets that are most important for your business?”

At the outset of this project, professor Mashatan was curious to know why some organizations embrace the need to prepare for the coming changes while others are content to wait.

“Even if they understand quantum migration is bound to happen in the next five years, some are preparing now and some are not. We wanted to decouple and understand that nuance,” professor Mashatan said. 

“People have been talking about this. Technologists have been talking about this. Ours is the first paper to actually validate it empirically. We’re showing these things are true, not just saying it’s common sense.”

Read professor Mashatan’s paper, “Towards Quantum Threat Mitigation: An Empirical Investigation of the Factors Influencing Organizational Preparation Intentions on AIS eLibrary,” (external link)  recently presented at the 2025 European Conference on Information Systems (ECIS) in Amman, Jordan.