Search GSSD

Examining the causes and costs of cyber incidents

Abstract: 
This research paper was written by Sasha Romanosky and published on August 8, 2016 in the Journal of Cybersecurity. The Journal of Cybersecurity publishes accessible articles describing research in the interdisciplinary world of computer, systems, and information security. Sasha Romanosky is a policy researcher at the RAND Corporation and former cyber policy advisor at the Pentagon in the Office of the Secretary of Defense for Policy (OSDP). Abstract: Many strategies and tools have been developed by states to protect themselves from cyber threats. But what about companies? Are they incentivize to invest in cyber security tools? Do the risks of cyber threats justify financial expenses? Rates of cyber events and litigation show both similar trends. They are more frequent and consequently, more likely to be expensive for companies, in terms of cyber security tools and judicial expenses. However, while it is generally accepted that financial costs of cyber attacks are very high, this research show the opposite. “We find that the cost of a typical cyber incident in our sample is less than $200,000 (about the same as the firm’s annual IT security budget), and that this represents only 0.4% of their estimated annual revenues.” The authors note shortcomings in how to quantify financial costs of cyber attacks. “Assessing and predicting the costs of data breaches has been a struggle for many years because of the lack of quality data.” Thus, public concerns regarding the costs of cyber incidents may be excessive compared to the relatively modest financial impact to the targeted firms. This finding poses a problem in terms of cyber security. Because companies expected losses are relatively low, they subsequently invest in only a modest amount of cyber protection. I think that the low financial cost of cyber threats should not undermine the quality and effectiveness of companies cyber security strategies.
Author: 
Sasha Romanosky
Institution: 
Journal of Cybersecurity
Year: 
2016
Domains-Issue Area: 
Dimensions-Problem/Solution: 
Region(s): 
Industry Focus: 
Internet & Cyberspace
Datatype(s): 
Case Studies