CO ST OF A CYBER INCIDENT: S YSTEMATIC REVIEW AND C ROSS-VALIDATION OCTOBER 26, 2020 1 Acknowledgements We are grateful to Dr. Allan Friedman, Dr. Lawrence Gordon, Jay Jacobs, Dr. Sasha Romanosky, Matthew Shabat, Kelly Shortridge, Steven Surdu, David Tobar, Brett Tucker and Sounil Yu for the review comments and helpful feedback on the earlier draft of the report. The authors would like to thank CISA staff for support and advice on this project. 2 Table of Contents 1. Objectives .................................................................................................................................................................... 7 2. Results in Brief .......................................................................................................................................................... 8 3. Analysis ...................................................................................................................................................................... 16 3.1. Per-Incident Cost and Loss Estimates .............................................................................................. 18 3.1.1. Cross-Validation: Primary Loss Data for Large and Small Incidents .................................. 20 3.1.2. Reconciliation of Per-Incident Cost Studies .................................................................................. 26 3.1.3. Per-Record Estimates ............................................................................................................................. 29 3.2. Aggregate Loss or Impact Estimates on the National Scale .................................................... 30 3.2.1. Reconciliation of Aggregate Results ................................................................................................. 31 3.3. Research on the Short- and Long-Term Impacts of Cyber Incidents .................................. 33 3.4. Individual Case Studies of Sets of Hypothetical Scenarios ...................................................... 37 4. Summary of Defensible Estimates and Scaling Limitations ................................................................. 40 4.1. Factors Influencing the Scaling of Per-Event Estimates ........................................................... 41 4.2. A Comparison of Per-Event Costs from Two Datasets Scaled to the National Level .... 45 5. Conclusion ................................................................................................................................................................ 49 5.1. OCE’s Contribution ................................................................................................................................... 49 5.2. Existing Challenges and Proposed Solutions ................................................................................ 49 5.3. Practical Alternatives and Additional Research .......................................................................... 52 Appendix A – Sources and Methods .......................................................................................................................... 54 Appendix B – Detailed Literature Review .............................................................................................................. 57 Appendix C – Itemized Cost of Large Incidents ................................................................................................. 103 Appendix D – Itemized Cost, Smaller Incidents ................................................................................................ 111 References ........................................................................................................................................................................ 124 3 List of Tables Table 1: Summary of the Key Per-Incident Loss Estimates ................................................................................. 10 Table 2: Summary of the Aggregate Loss Estimates (U.S. and Global) ............................................................ 13 Table 3: Summary of the Scenario-Based Loss Estimates .................................................................................... 15 Table 4: Summary of the Key Per-Incident Loss Estimates ................................................................................. 19 Table 5: Costs, Cost-to-Revenue Ratios, and People Affected (Large Incident Sample) .......................... 21 Table 6: Costs, Cost-to-Revenue Ratios, and People Affected (Smaller Incident Sample) ...................... 24 Table 7: Summary of the Aggregate Estimates (U.S. and Global) ...................................................................... 32 Table 8: Summary of the Scenario-Based Study Loss Estimates ....................................................................... 39 Table 9: Verizon (2018, 2019) Incident and Breach Counts ............................................................................... 45 Table 10: Base Estimate of Public Sector Direct Losses, $ Thousands ............................................................ 45 Table 11: Annual Total Incident Cost Scenarios ....................................................................................................... 47 Table 12: Additional Aggregate Loss Estimate Scenarios, $ Thousands ........................................................ 48 Table 13: List of OCE’s Search Terms ............................................................................................................................ 54 Table 14: List of OCE’s Mandatory and Non-Mandatory Selection Criteria .................................................. 55 Table 15: Romanosky (2016) Summary of Per-Event Costs by Event Type, $ Millions ........................... 58 Table 16: Romanosky (2016) Government-Sector Per-Incident Losses, $ Millions .................................. 59 Table 17: Counterfactual Annual Loss Estimates for Government Subset, $ Millions .............................. 61 Table 18: NetDiligence (2017, 2018, 2019) Summary of Per-Event Costs .................................................... 64 Table 19: NetDiligence (2019) Per-Event Cost by Cost Category, $ Thousands ......................................... 65 Table 20: NetDiligence (2017, 2018, 2019), Romanosky (2016), and Cyentia (2020) Per-Event Costs ....................................................................................................................................................................................................... 67 Table 21: NetDiligence (2019) Cost per Incident by Loss Category ................................................................. 68 Table 22: RBS (2018) Summary of Per-Event Costs (U.S.) ................................................................................... 70 Table 23: Ponemon Institute (2017b), U.S. Per-Event Cost by Cost Category ............................................. 71 Table 24: Ponemon Institute (2017b) Data Breach Cost by Cost Category................................................... 72 Table 25: Ponemon (2017b) Cost Estimate by Mean Detection and Containment Time ........................ 73 -Event Investigation Costs ...................................... 74 ................................................................... 75 Table 26:28: Baker Hostetler (2018,(2017‒2020) 2019, 2020) Average Top Per Causes of Cyber Incidents .......................................... 76 Table 27:29: KasperskyBaker Hostetler Lab (2017, (2017‒2019) 2018) Average Incident Breach Response Cost Time by Category ................................................... 78 Table 30: Cisco (2018a, 2019) Distribution of the Cost of the Most Impactful Breach ............................ 80 Table 31: Hiscox (2018, 2019) Mean U.S. Per-Company Cost of All Incidents, $ ........................................ 81 Table 32: Hiscox (2017, 2018) Mean Cost of Largest Incident (U.S. Companies)....................................... 82 Table 33: Distribution of the Hourly Cost of a DDoS Attack ................................................................................ 83 Table 34: Biener et al. (2015) Summary of Loss Estimates by Risk Type, $ Millions ............................... 84 Table 35: Biener et al. (2015) Cyber and Non-Cyber Risk Losses, $ Millions ............................................... 85 Table 36: Anthem Revenue, Net Profit, and Net Profit Margin (2013‒2017) .............................................. 86 Table 37: McAfee (2013, 2014, 2018) Aggregate Estimates (U.S. and Global), $ Billions ....................... 91 Table 38: Total BEC/EAC Victim Count and Exposed Dollar Losses (BEC/EAC Statistics Reported to the IC3 and Derived from Multiple Sources) .............................................................................................................. 93 Table 39: BEC Victim Count and Exposed Dollar Losses (BEC/EAC Statistics Reported in Victim Complaints Where a Country was Identified) ........................................................................................................... 93 Table 40: Norton Reports (2015‒2017) Summary of Aggregate Loss Estimates ...................................... 96 Table 41: RAND Cost-to-Revenue Ratios by Sector (Bootstrapped Distribution) ...................................... 97 4 Table 42: RAND GDP at Risk by Percentile ................................................................................................................. 97 Table 43: Costs, Cost-to-Revenue Ratios, and People Affected (Large
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages146 Page
-
File Size-