Measuring the costs of cybercrime is a guessing game

Davey Winder examines cyber breach cost analyses and finds them lacking

Money

Recent research suggests the average annual cost incurred by enterprises in the UK courtesy of cybercrime is a whopping 4.1 million per year.

The Ponemon research, 2015 Ponemon Institute of Cyber Crime Study, ended up with the figure by taking the mean from a range of 628,423 to 16 million in costs each year per company. This is all well and good in itself, but if you'll excuse the pun, what does it actually mean?

That all depends, of course, on what you measure to price up this cost. After all, cybercrime is a pretty broad brief to begin with. Ponemon appears to have opted for an approach that measures cost by including components beyond immediate cash loss, such as the time companies spend recovering from a breach. This would be useful if such a thing was actually quantifiable, but it really isn't in any meaningful way.

Let's see what Ponemon actually says in the report itself. It talks of examining the total costs incurred when responding to cybercrime incidents, including costs of detection, recovery, investigation and incident response management. Then it looks at what it refers to as 'after-the-fact activities', such as containing additional costs from business disruption and loss of customers.

Quite how you measure the cost of lost business opportunity as a consequence of reputation diminishment is, frankly, beyond me, unless by measure' you really mean guess'. Which, it seems, they do. After all, the report itself says the external costs were "captured using shadow-costing methods" and this involves, as I understand the concept, allotting 'shadow prices' (again, read guesses') to intangible assets so they can be quantified in such an analysis.

It's this fuzziness around the edges of trying to quantify loss in financial terms that worries me, and I'm not just pointing the finger at Ponemon here but any organisation that makes the attempt.

Whether you use this total cost of breach methodology, or the 'price per record' metric favoured by others doing the same kind of analysis, the fact of the matter remains that by using a very broad brush you both end up sweeping all sorts of rubbish into the final figures and missing some of the finer detail that a smaller brush might have picked up.

I prefer Ponemon's approach to the cost per record approach, because at least there's some meaningful effort made to incorporate external factors into the maths. Unfortunately, even using shadow costing methods it's pretty much impossible to put any realistic cost on something that is totally unknown. Something like the consequences of intellectual property being stolen, for example. For a start you may not even know that it's been stolen, and if you do you probably won't know who has stolen it, and if you do you certainly won't know what they intend to do with it.

So, that leaves you with a cost (of the consequence of that IP theft) ranging from zero at one end to potentially millions at the other, and your business going under if a competitor uses the information to undercut you. Whichever end of the spectrum you opt for, you could be wrong. If you go for an average, you are almost certain to be wrong.

Therefore, I just don't think we can take these kind of monumental average costings seriously. Maybe there are CEOs and CFOs who speak this language, but it is fast becoming obsolete.

Dr Larry Ponemon, chairman and founder of the Ponemon Institute, says that "understanding of the financial impact can help organisations determine the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack", but this is only the case if the figures add up.

If you want to talk about bottom lines then try this one for size: stop wasting time on metrics that do not matter and start concentrating on those metrics that can help determine how your business is being attacked and what you can do to mitigate those attacks. 

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

Recommended

'Largest ever' Magecart hack compromises 2,000 online stores
hacking

'Largest ever' Magecart hack compromises 2,000 online stores

15 Sep 2020
Infocyte integrates with Palo Alto Networks Cortex XSOAR
cyber security

Infocyte integrates with Palo Alto Networks Cortex XSOAR

19 Aug 2020
The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020

Most Popular

Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google takes on Zoom with launch of Meet hardware
video conferencing

Google takes on Zoom with launch of Meet hardware

16 Sep 2020