Vol 8, issue 8

News analysis: Calculating the true cost of cyber-crime

28 August 2013
By Hugh Boyes
Share |
Hacking code

Some of the most serious cyber-security breaches have probably gone unreported into the public domain.

While governments state that cyber security is now one of their top national challenges, the overall cost-impact cyber security is incurring – both in terms of necessary investment and damaging outcomes following an attack – is far from clear.

Depending on their sources, the media and analysts quote the global cost of cyber-crime as anywhere between $100bn and $1tr annually – different reports and surveys are based on inconsistent parameters. This lack of continuity with respect to calculating the true cost-impact of cyber-attacks has, arguably, become a significant impediment to addressing the problem as effectively as the situation calls for.

If we are to tackle cyber security threats we need individuals and companies to understand the nature of the threats, and be able to assess the costs and consequences of not managing the risks. Unfortunately headline costs quoted in the media involve extrapolations from surveys and there is no commonly-agreed methodology behind the figures.

Some of the most serious cyber security breaches have probably gone unreported into the public domain, with the victims playing-down the seriousness and costs to avoid reputational damage and other collateral harm. To encourage prudent investment by individuals and organisations in cyber security awareness, skills and technology it is critical to understand the potential costs arising from a cyber-security incident, and how such incidents may arise.

So how close are we to developing a mechanism for properly assessing the financial impact of cyber-attacks?

An organisation that experiences a cyber-security breach is likely to incur the costs in three main areas: tangible, which relate to direct financial losses such as loss of stock and penalties; intangible, which relate to the value and perception of the organisation; and operational, i.e. those costs associated with handling the incident and any remedial activities.

Underpinning these three areas there are usually six main generic cost types:

  • Administrative and recovery actions, including communications and business continuity activities, restoring the services or restocking and any other management activities to restore the organisation’s operations. These are effectively ‘opportunity costs’, where the organisation could have been using its resources for its day-to-day activities, but is instead compelled to divert management and staff time to addressing the fallout from the incident.
  • Intellectual property losses, such as patented information, copyright material, trade secrets, customer lists, and other commercially-sensitive information.
  • Penalties, which may be legal or regulatory fines (such as for data protection breaches), compensatory payments to customers (for inconvenience or consequential loss), or contractual compensation (for delays, etc).
  • Property losses, which may arise from losses of stock (whether physical or digital) or failure to deliver services, or from financial theft or fraud.
  • Reputation losses such as loss of goodwill, market value, reductions in share price, loss of customer or business partner confidence, etc.
  • Security activities, these may include investigation of the incident, supporting law enforcement authorities in their investigation, making backed-up records available, and putting in place enhanced security measures to prevent a repeat of the incident.

This model of cost-impact tabulation extends from organisations to people who might be affected by malicious cyber activity. These individuals will face some of these costs – tangible, intangible, and operational. Tangible costs include the loss of cash or investments through fraud, with potential for fines if the incident includes loss of third-party information or property or your computer has been used for illegal activities. Intangible costs may be the loss of digital content of sentimental or archival value, or reputational damage through identity theft. On the operational costs front deficits could include associated costs and time associated with trying to recover any losses, clean-up any infections on personal computing devices, paying for legal or technical assistance, and so forth.

Now that the true cost-impact of cyber security is revealed the necessity to mitigate its deleterious effects becomes even more acute. Cyber security threats are not going away, and there are indications that their rate and complexity will increase in the coming years.

And although protective security solutions are highly effective guards against all manner of online threats, the fact is that salvation lies in greater availability of human skills. The IT security profession – in the UK and elsewhere – is increasingly realising that individuals and organisations that better understand and anticipate the potential losses that may be incurred during a cyber-security incident can make informed decisions about protecting their ICT systems.

Cyber Security Skills Alliance update

This understanding is one of the main drivers behind a new initiative – the recently formed Cyber Security Skills Alliance. The Cyber Security Skills Alliance, founded by the IET working with a range of partners from industry and academia, aims to develop and promote a series of initiatives to support the Institution’s members and others with a vested interest in information security professionalism. One of the Alliance’s primary objectives is to define a career path for cyber security professionals, with training development and qualifications that are linked through an achievable route. 

The Cyber Security Skills Alliance’s next aim is to facilitate a flow of highly-skilled ICT professionals that is adequate to meet this country’s strategic needs in the fight against online threats. As a leader in many areas of technology, the UK’s research and development centres – in the academia and commercial sector – are targeted by cyber-attacks every minute of every day. Successful attacks that misappropriate valuable intellectual property can be as damaging to the national economy as direct theft of funds from breached bank accounts.

For team leaders and senior managers a sponsorship scheme of cyber security MSc courses has been developed. This scheme aims to develop the technical and leadership skills of individuals who will be responsible for securing the design and operation of an organisation’s technology-based operations – important not only for IT departments, but also for those who use computer-based control systems in all industry sectors. The sponsorship scheme allows organisations to fund staff or high-calibre potential recruits through modular or full-time cyber security courses. The Cyber Security Skills Alliance will be supporting the alumni from these courses with a range of CPD opportunities to help them maintain awareness of trends and further skills development.

As initiatives such as smart grids, intelligent transport, smart cities and machine-to-machine technologies begin to roll-out it will be become even more essential that organisation has its own in-house cyber security expertise, and that that expertise is not confined to the ICT department but extended throughout the workforce: the costs of cybercrime is not a burden that should be borne by the ICT function alone.

More information, email: CyberSecurity@theiet.org

Share |
Related forum discussions
forum comment To start a discussion topic about this article, please log in or register.    

Latest Issue

E&T cover image 1605

"We visit Barcelona, one of the smartest cities in the world, to find out what makes it so special. What does it look like and what is the future?"

E&T jobs

  • High Voltage Engineer

    Premium job

    Essex X-Ray & Medical Equipment
    • Great Dunmow, Essex

    This High Voltage Engineer will provide design leadership for high voltage cable assemblies up to one megavolt.

    • Recruiter: Essex X-Ray & Medical Equipment

    Apply for this job

  • Sales Electronics Engineer

    Premium job

    Precision Microdrives
    • London (Greater)
    • £25,000 - £30,000 starting salary, inclusive of on-target commissions.

    Precision Microdrives (PMD) is a fast growing technology company that designs, produces and trades miniature electro-mechanical mechanisms

    • Recruiter: Precision Microdrives

    Apply for this job

  • Senior Development Engineer, Electronics

    Premium job

    Helmet Integrated Systems / Gentex Corporation
    • Letchworth Garden City, Hertfordshire
    • Competitive

    We are innovative, robust and fast growing business, whose main focus is to deliver continues improvement to existing products and offer new soluti...

    • Recruiter: Helmet Integrated Systems / Gentex Corporation

    Apply for this job

  • Analogue Electronics Engineer

    Premium job

    Swedish Institute of Space Physics (IRF)
    • Uppsala (Stad) (SE)

    The Swedish Institute of Space Institute (IRF) in Uppsala search for an analogue electronics engineer.

    • Recruiter: Swedish Institute of Space Physics (IRF)

    Apply for this job

  • Principal Robotic Systems Engineer

    Premium job

    National Oceanographic Centre
    • Southampton, Hampshire
    • £45,271 to £49,207 per annum

    Responsible for technical oversight and project management of internally and externally funded innovation centre projects.

    • Recruiter: National Oceanographic Centre

    Apply for this job

  • Smart Grid Research Engineer

    Premium job

    University of Strathclyde
    • Cumbernauld, Glasgow
    • Grade: 6/7* £26,537 - £37,768*

    Work as part of a growing dynamic team on a wide range of technical projects with particular emphasis on experimental validation and testing

    • Recruiter: University of Strathclyde

    Apply for this job

  • Electrical Engineer - Water

    Premium job

    Mott MacDonald
    • Peterborough, Cambridgeshire

    Mott MacDonald's highly successful Water and Environment Unit is recruiting an electrical engineer....

    • Recruiter: Mott MacDonald

    Apply for this job

  • Electrical Design Engineer

    Premium job

    Mott MacDonald
    • Cambridge, Cambridgeshire

    Mott MacDonald's highly successful water business continues to win and deliver a fantastic amount of work....

    • Recruiter: Mott MacDonald

    Apply for this job

  • Launcher Verication & Validation Lead

    MBDA
    • Bristol
    • Competitive Salary & Benefits

    What’s the opportunity? Opportunity to join a very dynamic, responsive and multinational Launcher team, focussed on rapid development, proving and manufacture to meet challenging programme...

    • Recruiter: MBDA

    Apply for this job

  • Technical Design Authority - Marine Systems (Mechanical)

    BAE Systems
    • Scotland, Glasgow
    • Negotiable

    Technical Design Authority - Marine Systems (Mechanical) Would you like to play an exciting and varied role working with the River Class Batch 2 (RCB2) vessels for the Royal Navy? We currently have a vacancy for a Technical Design Authority - Marine Syste

    • Recruiter: BAE Systems

    Apply for this job

More jobs ▶

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T