The Economic Measurement of Cyber Incidents

Abstract

In recent decades, Information and Communication Technologies (ICT) have significantly evolved, further establishing the information society. However, ICT systems are subject to security incidents, and most malicious attacks have cascading effects. Decision-makers need to understand the potential financial effects of incidents if they wish to clearly perceive the potential risks and thus make an appropriate allocation of resources to ICT security.
Our research attempts to develop a comprehensive toolset for the analysis of cybersecurity incidents. The toolset is based on conventional methodologies of cash-flow evaluation and balance of payments. We discuss several use cases of real-world examples with incidents affecting essential service providers and manufacturers. The case studies involve incidents affecting energy service providers, banks, water utilities, aircraft manufacturers, car manufacturers, IT software providers, air, rail, and water transport companies, the pharmacy, and the health sector. Analysis of the incidents involves our framework being applied at three levels: organisational, governmental, and international.