Measuring the Risks of Cyber Attack

Most studies that examine the impact of cyber attack tend to focus on a combination of direct and indirect costs. Directs costs include forensic investigations, financial penalties, legal fees, hardware and software upgrades, etc. The approach is typified by the annual Cost of Data Breach Study performed by the Ponemon Institute, now in its eighth year. The most recent study examines the costs incurred by 277 companies in 16 industry sectors from 9 countries. According to the study, average data breach costs per organisation range between $1.1M – $5.4M for the selected countries. Estimates include losses related to reputational harm, lower sales, the loss of intellectual property, and other forms of indirect costs, which can account for as much as 68 percent of the total cost of a data breach.

Since indirect costs are far harder to accurately measure than direct costs and yet are proportionally more significant than direct costs, estimates for the average cost of a data breach have a high margin of error. Therefore, the actual costs incurred by organisations that suffer a data breach may be far higher or lower than the estimates provided by official studies.

A recent joint study performed by McKinsey and Company and the World Economic Forum presents a very different perspective on the risks of cyber attack. The results of the study are published in the report Risk and Responsibility in a Hyperconnected World, released earlier this week. It examines the global impact of cyber attacks and highlights risks often overlooked by conventional studies that focus on narrow definitions of direct and indirect costs. This includes opportunity risks, especially in the areas of cloud computing, data analytics and mobility. According to the study, such technological trends could create $10 trillion – $20 trillion in value for the global economy by 2020. Cyber risks lead to lower levels of trust and slower rates of adoption for cloud, big data and mobile technologies. The net result is that the risk of cyber attacks could lead to as much as $3 trillion in lost productivity and growth if it is not effectively managed before the end of the decade.

The study surveyed over 250 industry leaders across 7 sectors and 3 regions. 65 percent of respondents rated malicious external and internal attacks as the most likely risk to have a negative strategic impact upon their business. 69 percent believe that the sophistication or pace of attacks will continue to outperform the ability of institutions to defend such attacks, in spite of the fact that global spending on cyber security is expected to rise from $69 billion in 2013 to over $123 billion in 2020.

The study presents a proactive roadmap to build public and private sector capabilities designed to address cyber risks and accelerate innovation and growth. The roadmap includes prioritizing information assets based on business risks, scaling security efforts based on the importance of assets, integrating security into every area of technology from development to decommissioning, as well as business operations, deploying active defences to uncover attacks, continuous testing and security awareness training.