Measuring the costs of cybercrime is a guessing game

Money

Recent research suggests the average annual cost incurred by enterprises in the UK courtesy of cybercrime is a whopping 4.1 million per year.

The Ponemon research, 2015 Ponemon Institute of Cyber Crime Study, ended up with the figure by taking the mean from a range of 628,423 to 16 million in costs each year per company. This is all well and good in itself, but if you'll excuse the pun, what does it actually mean?

That all depends, of course, on what you measure to price up this cost. After all, cybercrime is a pretty broad brief to begin with. Ponemon appears to have opted for an approach that measures cost by including components beyond immediate cash loss, such as the time companies spend recovering from a breach. This would be useful if such a thing was actually quantifiable, but it really isn't in any meaningful way.

Let's see what Ponemon actually says in the report itself. It talks of examining the total costs incurred when responding to cybercrime incidents, including costs of detection, recovery, investigation and incident response management. Then it looks at what it refers to as 'after-the-fact activities', such as containing additional costs from business disruption and loss of customers.

Quite how you measure the cost of lost business opportunity as a consequence of reputation diminishment is, frankly, beyond me, unless by measure' you really mean guess'. Which, it seems, they do. After all, the report itself says the external costs were "captured using shadow-costing methods" and this involves, as I understand the concept, allotting 'shadow prices' (again, read guesses') to intangible assets so they can be quantified in such an analysis.

It's this fuzziness around the edges of trying to quantify loss in financial terms that worries me, and I'm not just pointing the finger at Ponemon here but any organisation that makes the attempt.

Whether you use this total cost of breach methodology, or the 'price per record' metric favoured by others doing the same kind of analysis, the fact of the matter remains that by using a very broad brush you both end up sweeping all sorts of rubbish into the final figures and missing some of the finer detail that a smaller brush might have picked up.

I prefer Ponemon's approach to the cost per record approach, because at least there's some meaningful effort made to incorporate external factors into the maths. Unfortunately, even using shadow costing methods it's pretty much impossible to put any realistic cost on something that is totally unknown. Something like the consequences of intellectual property being stolen, for example. For a start you may not even know that it's been stolen, and if you do you probably won't know who has stolen it, and if you do you certainly won't know what they intend to do with it.

So, that leaves you with a cost (of the consequence of that IP theft) ranging from zero at one end to potentially millions at the other, and your business going under if a competitor uses the information to undercut you. Whichever end of the spectrum you opt for, you could be wrong. If you go for an average, you are almost certain to be wrong.

Therefore, I just don't think we can take these kind of monumental average costings seriously. Maybe there are CEOs and CFOs who speak this language, but it is fast becoming obsolete.

Dr Larry Ponemon, chairman and founder of the Ponemon Institute, says that "understanding of the financial impact can help organisations determine the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack", but this is only the case if the figures add up.

If you want to talk about bottom lines then try this one for size: stop wasting time on metrics that do not matter and start concentrating on those metrics that can help determine how your business is being attacked and what you can do to mitigate those attacks.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.