Survey: Most IT Security Managers Can’t Figure Cost of Cyber Attacks

January 15, 2019  Jeff B. Copeland

A new survey of cybersecurity officers finds that 73% have no way to calculate the financial impact of cyber attacks, and rely on their own estimates. And they’re bad at estimating.

“Unfortunately,” the report says, “those estimates tend to be significantly lower than the findings of those who calculate actual costs.”

The Global Application & Network Security Report 2016-17 is based on a survey of 598 information security managers worldwide by Radware, a vendor of application delivery and cybersecurity services.

The survey finds that cybersecurity risk managers overall tend to guess low on the true costs of cyber attacks, but that skill in estimating varies by industry.

The technology, healthcare and government sectors appear to have a good handle on loss estimates—healthcare in particular has well established data on the value of a patient. Ditto for retailers because “once hit with an attack, losses are immediate”. On the other side of the ledger, media and educational institutions way underestimated the average cost of an attack.

The organizations that do calculate monetary values on cyber attacks listed the factors in this chart as their most costly losses, led by reputation damage, but with a close spread among online revenue loss, service level agreement fees, customer legal damages and compliance fees.

These financially savvy information security managers figured the likely impact of a cyber attack at nearly double the typical estimate of their peers with no risk quantification skills: $1.1 million vs. $620,000.

The Radware report concludes “cyber attacks are more expensive than many organizations assume, making them a significant blind spot.

“By more accurately understanding and precisely calculating all of the financial impacts, security teams can make a stronger case for funding.”

The Radware findings dovetail with a recent survey by the Cyentia Institute, a cybersecurity research firm, that examined the communication issues between CISOs and boards of directors:

“Not many [CISOs] measure risk in terms of financial losses expected over a given timeframe," the survey concluded while “boards are very accustomed to the concept of enterprise risk management (ERM) and discussing the financial, strategic and operational risks to the firm is standard boardroom fare.”


Talking Cyber Risk Analysis to Skeptical Executives

Are There Better Alternatives to Heat Maps?