The economic impact of security incidents on critical information infrastructures
Cyber security incidents affecting CIIs (Critical Information Infrastructures) are considered nowadays global risks that can have significant negative impact for several countries or industries within the next 10 years. But the job of identifying the real impact produced proves to be quite a challenge.
Cybercrime as a percent of GDP
ENISA published a systematic review of studies on the economic impact of cyber-security incidents on critical information infrastructures (CII) which provide resources of core functions which society depends upon. An unavailability of these resources would have a debilitating effect on society as a whole.
A prevalent challenge for all stakeholders involved (decision makers, companies and others) is to identify the exact magnitude of incidents in terms of national or EU-wide economic impact. In this context, the aim of the study is to provide an estimate, on the basis of available public source information.
The study demonstrates that the absence of a common approach and criteria for performing such an analysis has led to the development of rarely comparable standalone approaches that are often only relevant to a specific context and to a limited audience. While some studies show annual economic impact per country, other studies provide cost per incident or per organisation.
Furthermore, some studies use real cost while others use approximations based on different techniques or on internal frameworks. Despite the lack of comparable studies, this systematic review has allowed to come up with compelling findings for future work in the field, and build an early view on the current situation in the EU and beyond.
Major common findings
- Finance, ICT and Energy sectors have the highest incident costs
- The most common cyber attack types for financial sector and ICTs appear to be DoS/DDoS and malicious insiders, with the latter affecting also public administration/government sectors
- The most costly attacks are considered to be insider threats, followed by DDoS and web based attacks
- In terms of country losses, the figures demonstrate up to 1.6% GDP in some EU countries. Other studies mention figures like 425,000 to 20 million euro per company per year.
Percentage annualized cybercrime cost, by attack type
“Determining realistic cost values is key to outline the economic impact of cyber incidents on the EU’s economy. ENISA can play a significant role in the future, on developing work that take into account all critical variables that define the EU cyber-space, given that all the necessary resources have been allocated” commented ENISA’s Executive Director Prof. Udo Helmbrecht
A general recommendation towards all types of readers that may be interested in such studies, is that findings would have to be contextualised prior to adopting conclusions or drawing their own . By doing so it will help to better understand the gaps or parts uncovered by the study, and understand the overall findings of the study and their relevance within the actual context.
“The cost of a breach to each organisation can vary enormously depending on what assets are targeted, how important they are to this particular company, and what recovery capabilities they currently have. The theft of the exact same set of data could incur wildly different costs on two organisations based on the way they utilise the data and how quickly they can get back on track. While these cost reports do provide a useful backdrop, companies absolutely need to focus on their own unique risk landscape if they are to have an accurate understanding of the potential cost of a breach,” Charles White, CEO of IRM, told Help Net Security.