Today ENISA publishes a systematic review of studies on the economic impact of cyber-security incidents on critical information infrastructures (CII).
Cyber security incidents affecting CIIs (Critical Information Infrastructures) are considered nowadays “global risks that can have significant negative impact for several countries or industries within the next 10 years”[1]. But the job of identifying the real impact produced proves to be quite a challenge.
Today ENISA publishes a systematic review of studies on the economic impact of cyber-security incidents on critical information infrastructures (CII) which provide resources of core functions which society depends upon. An unavailability of these resources would have a debilitating effect on society as a whole.
A prevalent challenge for all stakeholders involved (decision makers, companies and others) is to identify the exact magnitude of incidents in terms of national or EU-wide economic impact. In this context, the aim of the study is to provide an estimate, on the basis of available public source information.
The study demonstrates that the absence of a common approach and criteria for performing such an analysis has led to the development of rarely comparable standalone approaches that are often only relevant to a specific context and to a limited audience. While some studies show annual economic impact per country, other studies provide cost per incident or per organisation. Furthermore, some studies use real cost while others use approximations based on different techniques or on internal frameworks. Despite the lack of comparable studies, this systematic review has allowed to come up with compelling findings for future work in the field, and build an early view on the current situation in the EU and beyond.
The major common findings include:
- Finance, ICT and Energy sectors have the highest incident costs
- The most common cyber attack types for financial sector and ICTs appear to be DoS/DDoS and malicious insiders, with the latter affecting also public administration/government sectors
- The most costly attacks are considered to be insider threats, followed by DDoS and web based attacks
- In terms of country losses, the figures demonstrate up to 1.6% GDP in some EU countries. Other studies mention figures like 425,000 to 20 million euro per company per year
“Determining realistic cost values is key to outline the economic impact of cyber incidents on the EU’s economy. ENISA can play a significant role in the future, on developing work that take into account all critical variables that define the EU cyber-space, given that all the necessary resources have been allocated” commented ENISA’s Executive Director Prof. Udo Helmbrecht
A general recommendation towards all types of readers that may be interested in such studies, is that findings would have to be contextualised prior to adopting conclusions or drawing their own . By doing so it will help to better understand the gaps or parts uncovered by the study, and understand the overall findings of the study and their relevance within the actual context.
For full report:
https://www.enisa.europa.eu/publications/the-cost-of-incidents-affecting-ciis/
For media and press enquiries please contact press@enisa.europa.eu, Tel: +30 2814 409576