In November 2017, the Danish shipping giant AP Møller-Mærsk cut its profit guidance, citing the lingering effects of a June cyber attack. Its third-quarter report to investors stated that the incident had dented profitability by “$250-300 million”, on account of “reduced volumes and increasing unit costs” (AP Møller-Mærsk 2017). The same attack also hit British multinational Reckitt Benckiser, maker of household-name pharmaceuticals and cleaning products. No official cost figure has been made public yet, but analysts estimate the damage at around $140 million. In September, US consumer credit reporting agency Equifax disclosed a data breach affecting 143 million Americans, whose sensitive personal information ended up online. Three months after the announcement, the company’s stock price was still down by 20%. These are only two out of several recent cyber incidents that had substantial economic consequences.
One may conclude that some longstanding market leaders are starting to lose their sheen because they are not able to keep up with the fast pace of technological progress. Companies that were established more than 100 years ago may have failed to develop enough flexibility to survive in the digital economy, and they are now vulnerable to internet-focused competitors and cybercriminals alike.
But this doesn’t appear to be the case; new-generation businesses are being hacked too. Uber, the ride-hailing company that has become a symbol of technological disruption, was hit by a massive cyber attack in 2016. Not only did it fail to disclose the incident to the authorities, it also allegedly attempted to bribe the perpetrators into silence. The jury’s still out on how much this incident will cost, but the amount is unlikely to be small.
The cost of cyber attacks: Measurement and modelling challenges
So what is the overall cost of cyber attacks for our economies? We still don’t know much. In May 2017, finance ministers and central bank governors of G7 countries acknowledged the existence of a data gap on the economic dimensions of cybersecurity; they called on “international organizations and governmental institutions in partnership with the private sector” to deliver “reliable, impartial, comprehensive and widely accessible” information (G7 2017) upon which policy decisions could be based.
Measuring the simplest of variables, the frequency of incidents, is already quite challenging. Victims have scant incentives to disclose attacks, even in the presence of legal obligations; the reputational costs and subsequent loss of competitiveness can outweigh the benefits of information sharing (Gal-or and Ghose 2005, Laube and Böhme 2016). When it comes to economic impact, the endeavour becomes significantly more difficult for conceptual and practical reasons.
First of all, there is no shared definition of what constitutes the cost of a cyber attack. Most existing studies focus on the damage suffered by businesses that are directly hit by hackers, and even within this limited scope, some components are intrinsically uncertain.
According to the taxonomy used in the UK Cyber Security Breaches Survey, the only example of official statistics in this field, victims should compute the cost of an attack by adding up items in three categories:
- Direct effects, such as lost revenue from business interruption, and other losses from data theft or destruction
- Recovery activities, including extra workload to deal with the breach, and expenditure to repair equipment or infrastructure
- Long-term effects, such as fines, legal costs, and loss of share value or funding
The UK government warns that “this [last] set of costs is likely to be more difficult for firms to estimate, meaning these figures are likely to have higher margins of error”. It also notes that a general reliability problem may exist because “it is very uncommon for businesses to monitor the financial cost of cyber security breaches” (UK Department for Culture, Media and Sport 2017).
Second, a growing body of evidence shows that the distribution of costs is highly asymmetrical, which limits the information content of most survey-based estimates. Edwards et al (2016) find that the size of breaches catalogued in the Privacy Rights Clearinghouse dataset1 follows a log-normal distribution. Bank of Italy data indicate that in 2016 the overwhelming majority of attacks against Italian nonfinancial private firms caused direct and recovery costs below €50,000, but one in a thousand victims reported damages of at least €200,000 (Biancotti 2017).
Figure 1. Monetary costs of all cyber attacks suffered in 2016, at the firm level (kernel density estimate; cost in euros)
Note: respondents had the option of answering the cost question by choosing a bracket rather than indicating a point estimate. The upper bracket was open (“€ 200,000 and over”) and for purposes of readability it was capped at €300,000 in this chart. The figure should not be interpreted as an actual upper bound.
The Cyber Security Breaches Survey tells a similar story for the UK, with a handful of serious incidents doing more harm than all of the run-of-the-mill attacks combined. However, we still do not know how large the average mega-breach is, nor the total cost of all of them put together – data-collection techniques employed so far are not geared towards the measurement of tail events.
Third, aggregation is not straightforward. Economy-wide damage is not the sum of costs borne by firms whose systems were hacked; cyber vulnerabilities have negative externalities (Biancotti et al. 2017) and only some of those end up being internalised by those who are hit (e.g. through court-ordered compensation of customers whose personal data have been stolen during an attack). How do we compute the cost of a four-hour blackout affecting a major city, if all we have as a starting point is an estimate of the damage suffered by the energy distributor that was hacked?
These issues are not easy to tackle, but a solution must be found, as lack of information is per se a cause of vulnerability. At the firm level, an incomplete understanding of how much damage a cyber attack can impart yields underinvestment in security; indeed, the Bank of Italy dataset shows that the median firm with at least 20 employees spends a mere €4,530 on cyber defence, or 15% of a typical worker’s annual gross wages. Since cyberspace is highly interconnected, this results in an unsafe operating environment even for those firms that make security a priority.
Without time series data on incidents and damage, options for risk transfer are also limited, as insurance companies have a hard time pricing coverage. In 2015 the sum of gross written premiums for stand-alone cyber insurance in OECD countries was estimated at a mere $2.5 billion, compared to $277 billion for fire and property insurance, and $171 billion for general liability (OECD 2017). As yet unpublished Bank of Italy data show that in September 2017, nearly 80% of firms did not have any form of insurance against cyber risk; coverage rates were higher only in the ICT sector (Biancotti and Cristadoro forthcoming). Finally, absence of data hurts policy design and, crucially, evaluation.
Table 1 Prevalence of cyber insurance, by technological intensity of activity sector, September 2017 (share of firms)
A road map for improving indicators
Improving the quality of cost indicators requires progress in a variety of fields. As an initial step, some groundwork is called for in order to develop shared definitions of the economic cost of cyber attacks at various levels – individual, firm, sector, economy, group of economies – and common standards to measure those costs. Work is already underway in this area – the OECD established an international expert group, and the US Department of Homeland Security (Livingston et al. 2017) recently proposed a measurement framework.
It is also important to pursue research on how best to integrate multiple data sources. Given the complexity of the phenomenon, it is unlikely that meaningful estimates can be obtained from a single dataset, no matter how good. Available surveys use the firm as a sampling unit. This serves the important purpose of showing the consequences of an attack on a firm’s economic performance, but it leaves the aggregation problem unsolved. Such surveys should be supplemented with others where incidents are the sampling unit; since no census of incidents exists, appropriate sampling frames have to be conjured from external sources – for example, incident notification archives managed by national data protection authorities, or lists of attacks such as the one maintained by the Center for Strategic and International Studies (2017).
Furthermore, given the importance of infrequent, large attacks, all data collection and estimation tools should be designed with rare events in mind. In the case of surveys, the literature suggests oversampling the right tail whenever one wants to measure a skewed, long-tailed variable, where under-reporting and non-response are significantly higher on the right tail compared to the rest of the distribution. Survey results can be usefully verified and integrated with qualitative information on serious attacks – which malwares were used, how rapidly they spread across networks, how long they stayed undetected, etc. Big data techniques can be leveraged to integrate heterogeneous, non-structured datasets covering the various dimensions of cybersecurity. The private sector is experimenting with these techniques (Lloyd’s 2017), and official statistics need to catch up.
Finally, while the combined effect of these methodological issues suggests that the cost of cyber attacks will never be estimated with the same precision achieved, say, for annual working hours, this is not necessarily a damning obstacle for policy design and evaluation. Selecting the right policy requires knowing which pieces of legislation, norms, and regulations were most successful in containing the economic impact of attacks. If sources of bias in measurement are well understood, it is possible to derive unbiased estimators of variations in frequency and cost of attacks over time, even if the absolute levels cannot be pinned down exactly.
AP Møller-Mærsk (2017), Interim Report 2017 – Q3.
Biancotti, C and R Cristadoro (forthcoming), “The market for cyber risk insurance: Evidence from the Italian private sector”, Bank of Italy, Occasional Papers.
Biancotti, C (2017), “The price of cyber (in)security: Evidence from the Italian private sector”, Bank of Italy, Occasional Papers no 407.
Biancotti, C, R Cristadoro, S Di Giuliomaria, A Fazio and G Partipilo (2017), “Cyber attacks: An economic policy challenge”, VoxEU.org, 23 June.
Center for Strategic and International Studies (2017), “Significant cyber incidents since 2006”.
Edwards, B, S Hofmeyr and S Forrest (2016), “Hype and heavy tails: A closer look at data breaches”, Journal of Cybersecurity 2(1).
Gal-or, E and A Ghose (2005), “The economic incentives for sharing security information”, Information Systems Research 16(2).
G7 (2017), G7 Finance Ministers and Central Banks’ Governors Meeting Communiqué.
Laube, S and R Böhme (2016), “The economics of mandatory security breach reporting to authorities”, Journal of Cyber Security 2(1): 29-41.
Livingston, O, M Shabbat and T Cheesebrough (2017), “Cost of cyber incidents”, presented at the 16th Workshop on the Economics of Information Security.
Lloyd’s (2017), Counting the cost: Cyber exposure decoded.
OECD (2017), Enhancing the role of insurance in cyber risk management.
UK Department for Culture, Media and Sport (2017), Cyber security breaches survey: Main report.
 At the time of writing, the Privacy Rights Clearinghouse dataset listed 7,852 public-record data breaches that resulted in exposure of personal information between 2005 and 2017.