Cyber-crime cost calculation studies are rubbish: ENISA

Do I have a bid for millions? Hundreds of millions? Security wonks say the auction's bunk

ENISA, the European Union Agency For Network And Information Security, has taken a look at “cost of cyber attack” studies and reckons they're not much good.

The agency is far too polite to put it that way, but in this report, it says there's no consistent approach to trying to quantify the cost of attacks on what it calls critical information infrastructures (CIIs).

“The measurement of the real impact of incidents in terms of the costs needed for full recovery proved to be quite a challenging task”, the report drily notes.

The study, The cost of incidents affecting CIIs, is a review eleven expert reports, two internal studies (provided by security vendors to customers), two public studies, and two reports by ENISA partners. The source studies were dated between 2013 and 2015.

The agency says there's plenty of information about, but the studies it analysed “examines the topic from a different perspective, focusing on certain industries, using different metrics, counting only certain types of incidents etc. The lack of a common approach and criteria for performing such an analysis has allowed the development of rarely comparable standalone studies, often relevant only in a certain context.”

Still, the authors – ENISA's Dr Dan Tofan, Theodoros Nikolakopoulos and Eleni Darra – were able to extract some insights from the studies they reviewed.

While it won't surprise anyone that the financial, ICT and energy sectors have the highest per-incident costs, denial-of-service and insider attacks are the most common incident types in finance and ICT.

Those two attack types are responsible for about half the “annualised cost of all cybercrime”, the report reckons.

The big problem comes when people try to quantify what an attack actually costs. The studies ENISA reviewed put costs anywhere from €425,000 to €20 million per company per year in Germany(from the Ponemon Institute); although it may be between €2.3 million and €15 million per company per year (also from the Ponemon Institute).

With error bars like that, it's impressive that ENISA was able to glean anything useful from the literature at all. Unsurprisingly, the report reckons if we're going to get a handle on what's happening, such studies need "a well-structured methodology".

What a novel idea ... ®

Similar topics

Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022