Cyber-crime is increasing but according to the European Union Agency for Network and Information Security (ENISA) figuring out just how much it costs governments and businesses is anyone's guess.
In a report published by the pan-European body, The Cost of Incidents affecting CIIs (Critical Information Infrastructures), said that the “lack of a common approach and criteria for performing such an analysis has allowed the development of rarely comparable standalone studies, often relevant only in a certain context”.
It said the most notable conclusion reached from the study was that the measurement of the real impact of incidents in terms of the costs needed for full recovery proved to be “quite a challenging task.”
According to the report's authors, Dr Dan Tofan, Theodoros Nikolakopoulos and Eleni Darra, determining cost values that are as close as possible to reality is a “key to determining the real economic impact of incidents on EU's economy. Knowing the real impact can help define proper, coherent and cost effective mitigation policies”.
The organisation also said that a lack of a unified and standardised approach in developing such studies, with such documents driven more by business factors than any “realistic needs”.
“Determining realistic cost values is key to outline the economic impact of cyber incidents on the EU's economy. ENISA can play a significant role in the future, on developing work that take into account all critical variables that define the EU cyber-space, given that all the necessary resources have been allocated” said ENISA's executive director Prof. Udo Helmbrecht.
The report also found that Finance, ICT and Energy sectors have the highest incident costs, while the most common cyber-attack types for financial sector and ICTs appear to be DoS/DDoS and malicious insider. The costliest attacks are considered to be insider threats, followed by DDoS and web based attacks.
Fraser Kyne, regional SE director at Bromium, told SCMagazineUK.com that the impact of a cyber-crime incident can be widespread and intangible, and the relative importance (and therefore value) of each component can differ across verticals. “For some businesses the damage to reputation is of utmost concern, but is very hard to put a finger on, for example.”
“The IT security industry will always fan the flames in order to justify customer spending. But this is just Lemsip for a cold – treating the symptoms rather than the disease itself,” he said.
Andrew Rogoyski, VP of Cyber Security Services at CGI UK, told SC that part of the challenge is that cyber risk isn't like any other risk insurers and reinsurers have ever had to underwrite. “There is limited publicly available data on the scale and financial impact of attacks and this issue is further heightened by the speed with which the threats are evolving and proliferating.”
“While underwriters can estimate the likely cost of systems remediation, there simply isn't enough historical data to evaluate potential losses resulting from reputational damage or compensation to customers, suppliers and other subjective factors. As a result, many insurance providers are hesitant to embrace cyber insurance due to the potential risk to their business,” he added.