Measuring the costs of cybercrime is a guessing game

Davey Winder examines cyber breach cost analyses and finds them lacking

Money

Recent research suggests the average annual cost incurred by enterprises in the UK courtesy of cybercrime is a whopping 4.1 million per year.

The Ponemon research, 2015 Ponemon Institute of Cyber Crime Study, ended up with the figure by taking the mean from a range of 628,423 to 16 million in costs each year per company. This is all well and good in itself, but if you'll excuse the pun, what does it actually mean?

Advertisement - Article continues below

That all depends, of course, on what you measure to price up this cost. After all, cybercrime is a pretty broad brief to begin with. Ponemon appears to have opted for an approach that measures cost by including components beyond immediate cash loss, such as the time companies spend recovering from a breach. This would be useful if such a thing was actually quantifiable, but it really isn't in any meaningful way.

Let's see what Ponemon actually says in the report itself. It talks of examining the total costs incurred when responding to cybercrime incidents, including costs of detection, recovery, investigation and incident response management. Then it looks at what it refers to as 'after-the-fact activities', such as containing additional costs from business disruption and loss of customers.

Advertisement
Advertisement - Article continues below

Quite how you measure the cost of lost business opportunity as a consequence of reputation diminishment is, frankly, beyond me, unless by measure' you really mean guess'. Which, it seems, they do. After all, the report itself says the external costs were "captured using shadow-costing methods" and this involves, as I understand the concept, allotting 'shadow prices' (again, read guesses') to intangible assets so they can be quantified in such an analysis.

Advertisement - Article continues below

It's this fuzziness around the edges of trying to quantify loss in financial terms that worries me, and I'm not just pointing the finger at Ponemon here but any organisation that makes the attempt.

Whether you use this total cost of breach methodology, or the 'price per record' metric favoured by others doing the same kind of analysis, the fact of the matter remains that by using a very broad brush you both end up sweeping all sorts of rubbish into the final figures and missing some of the finer detail that a smaller brush might have picked up.

I prefer Ponemon's approach to the cost per record approach, because at least there's some meaningful effort made to incorporate external factors into the maths. Unfortunately, even using shadow costing methods it's pretty much impossible to put any realistic cost on something that is totally unknown. Something like the consequences of intellectual property being stolen, for example. For a start you may not even know that it's been stolen, and if you do you probably won't know who has stolen it, and if you do you certainly won't know what they intend to do with it.

Advertisement - Article continues below

So, that leaves you with a cost (of the consequence of that IP theft) ranging from zero at one end to potentially millions at the other, and your business going under if a competitor uses the information to undercut you. Whichever end of the spectrum you opt for, you could be wrong. If you go for an average, you are almost certain to be wrong.

Therefore, I just don't think we can take these kind of monumental average costings seriously. Maybe there are CEOs and CFOs who speak this language, but it is fast becoming obsolete.

Dr Larry Ponemon, chairman and founder of the Ponemon Institute, says that "understanding of the financial impact can help organisations determine the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack", but this is only the case if the figures add up.

If you want to talk about bottom lines then try this one for size: stop wasting time on metrics that do not matter and start concentrating on those metrics that can help determine how your business is being attacked and what you can do to mitigate those attacks. 

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/security/vulnerability/356295/microsoft-patches-high-risk-flaws-that-can-be-exploited-with-a
vulnerability

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020
Visit/security/34616/the-top-password-cracking-techniques-used-by-hackers
Security

The top 12 password-cracking techniques used by hackers

12 Jun 2020