Calculating the costs of cybercrime

Image: IDGNS

12 August 2016

Paul HearnsWe’ve all seen the headlines: cybercrime costs X economy $X billion per year!

In fact, we… cough… have been responsible for more than a few of them ourselves.

But the fact remains, they are attention grabbing and memorable, often getting thrown into a presentation to ‘scare the be-jaysus’ out of those who might otherwise fail to heed the message.

Just how reliable are these studies, though?

“The measurement of the real impact of incidents, in terms of the costs needed for full recovery, proved to be quite a challenging task,” ENISA

They often come from very reliable sources, such as the Ponemon Institute, Juniper Research and Deloitte, to name but a few, but one independent body is questioning their conclusions, and their value.

The European Union Agency for Network and Information Security (ENISA) was concerned at the variance in reported costs and sought to clarify the situation. What it found was, well, unsurprising.

The report entitled “The cost of incidents affecting CIIs”, by Dr Dan Tofan, Theodoros Nikolakopoulos and Eleni Darra, states “the measurement of the real impact of incidents in terms of the costs needed for full recovery proved to be quite a challenging task”.

The CII in the title refers to critical information infrastructures, and is broadly describing information infrastructures on which societies depend.

The report is a meta-analysis of sources from between 2013 and 2015, comprising 11 expert reports, two security vendor internal studies which were aimed at customers, two public studies, and two ENISA partner reports.

The authors found that each study had produced its own set of findings, mostly relevant in their particular context — meaning that rather than take a standardised approach, each study seemed to be focused on its own sector, angle or concern, and consequently its findings were not necessarily applicable in a like for like fashion elsewhere.

“After analysing various studies it was found that each study expresses economic impact in a different way,” said the report. “While some studies show annual economic impact per country, other studies provide cost per incident or per organisation.”

“Besides this, some of them use real cost but others use approximations based on different techniques or internal frameworks. On top of that, costs were expressed in different currencies, for which we have converted all figures to a common currency. Given the above, the task of identifying common denominators for those studies becomes almost impossible.”

Unsurprisingly, the authors concluded that “finance, ICT and energy sectors, appear to have a much higher incident cost, in comparison with the rest of sectors [sic]”.

Common attacks
They found that the most common attack types for the financial and ICT sectors appear to be DoS/DDoS and malicious insiders, with the latter affecting the Public Administration sector too.

“It is very important to highlight that these two types on their own, make [up] approximately half the annualised cost of all cybercrime,” said the report.

The most expensive attacks are considered to be insider threats, followed by DDoS and web based attacks.

The authors state “the measurement of the real impact of incidents in terms of the costs needed for full recovery proved to be quite a challenging task.”

However, the authors recognise that determining cost values that are as close as possible to reality is key to determining the real economic impact of incidents on economies.

Real impact
“Knowing the real impact can help define proper, coherent and cost effective (beneficial) mitigation policies,” they said.

“We have also noticed the lack of a unified and standardised approach in developing such studies, often driven by business factors rather than actual interest of stakeholders or realistic needs.”

Food for thought, surely.

So, before you go including one of those juicy headlines in your next presentation, where someone claims that X billion somethings is lost every year to cybercrime, take a look at how that figure was derived, by whom and in what context. You may find that it has little relevance to you, your sector and the point you are actually trying to make.




Read More:

Back to Top ↑