Cost of cyberattacks difficult to measure, EU agency finds

August 11 2016. By Magnus Franklin.

The EU agency in charge of cyberattacks has confirmed what many chief technology officers have long known when trying to persuade their companies to spend money on cyberdefenses: putting a price tag on hacking is almost impossible.

But if acknowledging a problem is the first step toward solving it, ENISA’s report should set off alarm bells in the financial, information technology and energy industries.

In today’s boardrooms, persuading a company to part with a slice of earnings traditionally requires a cost-benefit calculation to explain why spending money is in its long-term interests.

But when it comes to cyberattacks, such calculations are difficult to make and even more difficult to compare. They often lead companies to underestimate how much they need to spend to counter hacking attacks and protect themselves against nefarious insiders.

The report from the European Network and Information Security Agency, ENISA, finds that cyberthreats are typically described as “global risks that can have significant negative impact for several countries or industries within the next 10 years.” But it has been tricky for companies to estimate their share of this negative impact.

The agency’s report confirms that it is genuinely challenging to filter macroeconomic effects through an individual company’s balance sheet.

The same challenge applies for policymakers who have struggled to separate the impact on a particular jurisdiction — say the EU — from the overall effect of a cyberincident.

The report concludes that “the absence of a common approach and criteria for performing such an analysis has led to the development of rarely comparable standalone approaches that are often only relevant to a specific context and to a limited audience.”

“While some studies show annual economic impact per country, other studies provide cost per incident or per organization,” the paper says.

Top threats

ENISA’s “systematic review of studies on the economic impact of cybersecurity incidents on critical information infrastructures“ did offer some insights, even if it found divergence on the calculation of the cost of cyberattacks.

Attacks in the financial, energy and technology industries have the highest “incident cost” compared to other sectors.

And for the information and communications technology and financial sectors specifically, the most common threats are distributed denial of service attacks — the technical term for large-scale Internet attacks on a website or company’s servers that causes it to shut down temporarily — and “malicious insiders.”

Malicious insiders who, for example, steal files or compromise systems to allow hackers to get in, also pose a threat to public administrations and governments, ENISA’s study concludes.

Such malicious insiders are the most costly attack for the organization involved, the report finds.

ENISA’s Executive Director Udo Helmbrecht used the findings to argue that the agency should play a part in drafting common standards for evaluating the cost of attacks, to develop more reliable and comparable figures.

But until such guidelines are in place, Helmbrecht urged companies to take any cost analyses with a pinch of salt, and ensure that they are properly “contextualized” before drawing any conclusions.