Measuring the costs of cybercrime is a guessing game

Davey Winder examines cyber breach cost analyses and finds them lacking

Money

Recent research suggests the average annual cost incurred by enterprises in the UK courtesy of cybercrime is a whopping 4.1 million per year.

The Ponemon research, 2015 Ponemon Institute of Cyber Crime Study, ended up with the figure by taking the mean from a range of 628,423 to 16 million in costs each year per company. This is all well and good in itself, but if you'll excuse the pun, what does it actually mean?

That all depends, of course, on what you measure to price up this cost. After all, cybercrime is a pretty broad brief to begin with. Ponemon appears to have opted for an approach that measures cost by including components beyond immediate cash loss, such as the time companies spend recovering from a breach. This would be useful if such a thing was actually quantifiable, but it really isn't in any meaningful way.

Let's see what Ponemon actually says in the report itself. It talks of examining the total costs incurred when responding to cybercrime incidents, including costs of detection, recovery, investigation and incident response management. Then it looks at what it refers to as 'after-the-fact activities', such as containing additional costs from business disruption and loss of customers.

Quite how you measure the cost of lost business opportunity as a consequence of reputation diminishment is, frankly, beyond me, unless by measure' you really mean guess'. Which, it seems, they do. After all, the report itself says the external costs were "captured using shadow-costing methods" and this involves, as I understand the concept, allotting 'shadow prices' (again, read guesses') to intangible assets so they can be quantified in such an analysis.

It's this fuzziness around the edges of trying to quantify loss in financial terms that worries me, and I'm not just pointing the finger at Ponemon here but any organisation that makes the attempt.

Whether you use this total cost of breach methodology, or the 'price per record' metric favoured by others doing the same kind of analysis, the fact of the matter remains that by using a very broad brush you both end up sweeping all sorts of rubbish into the final figures and missing some of the finer detail that a smaller brush might have picked up.

I prefer Ponemon's approach to the cost per record approach, because at least there's some meaningful effort made to incorporate external factors into the maths. Unfortunately, even using shadow costing methods it's pretty much impossible to put any realistic cost on something that is totally unknown. Something like the consequences of intellectual property being stolen, for example. For a start you may not even know that it's been stolen, and if you do you probably won't know who has stolen it, and if you do you certainly won't know what they intend to do with it.

So, that leaves you with a cost (of the consequence of that IP theft) ranging from zero at one end to potentially millions at the other, and your business going under if a competitor uses the information to undercut you. Whichever end of the spectrum you opt for, you could be wrong. If you go for an average, you are almost certain to be wrong.

Therefore, I just don't think we can take these kind of monumental average costings seriously. Maybe there are CEOs and CFOs who speak this language, but it is fast becoming obsolete.

Dr Larry Ponemon, chairman and founder of the Ponemon Institute, says that "understanding of the financial impact can help organisations determine the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack", but this is only the case if the figures add up.

If you want to talk about bottom lines then try this one for size: stop wasting time on metrics that do not matter and start concentrating on those metrics that can help determine how your business is being attacked and what you can do to mitigate those attacks. 

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

DeviceSHIELD combats rising cyber attacks and online fraud amid COVID-19
Security

DeviceSHIELD combats rising cyber attacks and online fraud amid COVID-19

24 Nov 2020
350,000 Spotify users hacked in credential stuffing attack
Security

350,000 Spotify users hacked in credential stuffing attack

24 Nov 2020
WAPDropper malware hooks you up to premium telecoms services
Security

WAPDropper malware hooks you up to premium telecoms services

24 Nov 2020
VMware sounds alarm over zero-day flaws in multiple products
Security

VMware sounds alarm over zero-day flaws in multiple products

24 Nov 2020

Most Popular

Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020