Calculating the economic impact of security incidents on critical infrastructure remains elusive

With the rise of APTs and the continued interconnection of critical infrastructure business-technology systems and field systems and devices the attention toward critical infrastructure security has never been higher. And nations around the world are building both offensive and (more slowly) defensive capabilities when it comes to cyber-attacks targeting critical infrastructure.

In an attempt to get a handle on the economic impact of attacks on critical infrastructure, the European Union Agency for Network and Information Security (ENISA) conducted a meta-analysis of many studies regarding critical infrastructure attacks that have been conducted recently. If you’re not familiar with ENISA, ENISA is a center of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA collaborates with these constituencies to develop advice and recommendations in information security.

The report, The cost of incidents affecting CIIs, was released last week. “A prevalent challenge for all stakeholders involved (decision makers, companies and others) is to identify the exact magnitude of incidents in terms of national or EU-wide economic impact. In this context, the aim of the study is to provide an estimate, on the basis of available public source information,” ENISA said in a statement.

According to ENISA, the continued reliance and networked nature of these systems is resulting in a “new chapter of information security. One that can be called Security of Things. While modern economies rely on the newly developed cyber infrastructures, assuring their security has become the main priority of many actors (governments, companies etc.) as this may have implications for the protection the economies and of business,” the organization wrote in the report.

“A prevalent challenge has been to identify the exact magnitude of incidents in terms of cost required for full recovery, and to determine the national or EU-wide economic impact. The purpose of this document is to take a first step in responding to this challenge, through which we have tried to identify if we currently are able to determine the real impact of incidents and if not what can we do in the future to enable that,” ENISA continued.

While there is no shortage of studies looking at information security incident costs, there are all different in their approach and perspective, ENISA found. “Each one of them examines the topic from a different perspective, focusing on certain industries, using different metrics, counting only certain types of incidents etc. The lack of a common approach and criteria for performing such an analysis has allowed the development of rarely comparable standalone studies, often relevant only in a certain context. Despite the lack of relevant studies in EU on this topic, the systematic review undertaken allowed us to identify useful findings for future work in the field, and build an early impression on the current EU and worldwide status,” they wrote.

Among the main findings in the meta-study: 

  • Finance, ICT and Energy sectors, appear to have the highest incident costs.
  • The most common attack types for Financial sector and ICTs appear to be DoS/DDoS and malicious insiders, with the latter affecting the Public Administration sector as well. It is very important to highlight that these two types on their own, collectively constitute approximately half the annualized cost of all cybercrime.
  • The most expensive attacks are considered to be insider threats, followed by DDoS and web based attacks.
  • In terms of country loss the values provided reach up to 1.6% of GDP in some EU countries.
  • Other studies mention figures like 425,000 to 20 million euro per company per year (Germany). Another study provides the average cost per company per year that can vary between 2.3 mil. and 15 mil. euro in 2015 [16]. One study also estimates the economic loss for the global economy to be from 330 to 506 billion euro (375 to 575 billion $).
  • Data seems to be the most affected asset.

According to ENISA, the study shows that the lack of consistency among information security economic impact studies shows that may of the studies are of limited value, or are of value only to a specific context or audience. While some studies show annual economic impact per country, other studies provide cost per incident or per organization. Furthermore, some studies use real cost while others use approximations based on different techniques or on internal frameworks. Despite the lack of comparable studies, this systematic review has allowed [us] to come up with compelling findings for future work in the field, and build an early view on the current situation in the EU and beyond,” ENISA wrote.

Let’s hope so, because concrete data and analysis is something the security industry needs desperately.