Aug. 10 — Measuring the true economic impact of security incidents on critical information infrastructures (CIIs) is extremely difficult, the European Union Agency for Network and Information Security (ENISA) concluded in a report released Aug. 10.
CIIs are “systems that provide the resources on which all functions of society depend upon, of which a possible incapacitation or destruction, would have a significant effect on the security, economy and/or health of society as a whole,” the report said.
Studies on the economic impact of cybersecurity attacks on CII lack a unified and standardized approach because business factors often drive the development of the studies rather than the needs of stakeholders, the report said. As a result, there is great difficulty in determining the real economic impact of cybersecurity incidents to the EU.
Lack of Common Approach
ENISA conducted a systematic review to determine the total cost for a full recovery from a cybersecurity incident on CII by analyzing 17 studies that examined the different economic impacts of cybersecurity incidents.
The report is ENISA’s attempt to make up for the lack of a common approach in past studies that examined cybersecurity incidents from different perspectives, only looking at certain industries, using different metrics or only including certain types of incidents.
“The aim of the study is to assess the economic impact of incidents that affect CIIs in EU, based on existing work done by different parties, and set the proper ground for the future work of ENISA in this area,” the report said.
The main finding of the study include:
• finance, information and communications technology and energy sectors appear to suffer the most expensive cybersecurity incidents;
• the most common type of attack, which also counts for approximately half of the annual cost of cybercrime, are denial of service and distributed denial of service (DDoS) attacks and malicious insider attacks;
• insider attacks are the most expensive type of attack, followed by DDoS and web-based attacks;
• individual EU countries lose as much as 1.6 percent of gross domestic product per year in cybersecurity incidents, and some studies measure the average dollar amount that companies lose per year, with differing results and other studies estimate the total cost to the global economy; and
• data are the most affected assets.