ENISA, the European Union Agency For Network And Information Security, has taken a look at “cost of cyber attack” studies and reckons they're not much good.
The agency is far too polite to put it that way, but in this report, it says there's no consistent approach to trying to quantify the cost of attacks on what it calls critical information infrastructures (CIIs).
“The measurement of the real impact of incidents in terms of the costs needed for full recovery proved to be quite a challenging task”, the report drily notes.
The study, The cost of incidents affecting CIIs, is a review eleven expert reports, two internal studies (provided by security vendors to customers), two public studies, and two reports by ENISA partners. The source studies were dated between 2013 and 2015.
The agency says there's plenty of information about, but the studies it analysed “examines the topic from a different perspective, focusing on certain industries, using different metrics, counting only certain types of incidents etc. The lack of a common approach and criteria for performing such an analysis has allowed the development of rarely comparable standalone studies, often relevant only in a certain context.”
Still, the authors – ENISA's Dr Dan Tofan, Theodoros Nikolakopoulos and Eleni Darra – were able to extract some insights from the studies they reviewed.
While it won't surprise anyone that the financial, ICT and energy sectors have the highest per-incident costs, denial-of-service and insider attacks are the most common incident types in finance and ICT.
Those two attack types are responsible for about half the “annualised cost of all cybercrime”, the report reckons.
The big problem comes when people try to quantify what an attack actually costs. The studies ENISA reviewed put costs anywhere from €425,000 to €20 million per company per year in Germany(from the Ponemon Institute); although it may be between €2.3 million and €15 million per company per year (also from the Ponemon Institute).
With error bars like that, it's impressive that ENISA was able to glean anything useful from the literature at all. Unsurprisingly, the report reckons if we're going to get a handle on what's happening, such studies need "a well-structured methodology".
What a novel idea ... ®