Quantifying Risks and Costs: Cybersecurity in the Organization

This serves as a note for Module 2, Topic 4, video 2.

Summary of the Lesson:

This lesson discusses the costs and risks of cyber insecurity and attempts to quantify them using data from insurance companies and other sources. While many believe that cybersecurity incidents are increasing rapidly and their costs are skyrocketing, more careful studies present a different picture.

• Cybersecurity Incidents: Data from insurance company Advisen, which tracks breaches over 10 years, shows that cyber incidents among Fortune 1000 firms have risen but have stabilized since 2014. The probability of a breach in any given year for a Fortune 1000 firm is about 23.5%, or 1 in 4.

• Risk by Firm Size: Larger firms face a higher risk of breaches, with top quartile firms having a 50% chance of at least one breach per year, while smaller firms face much lower risks. Industry sector also plays a role, with public sector and IT-intensive industries being more vulnerable than sectors like construction.

• Costs of Cyber Incidents: The costs can be broken down into three categories:

1. Direct Losses: The immediate financial impact of the crime, such as stolen money or costs of resetting credentials.

2. Indirect Costs: Broader societal impacts, like the loss of trust in online banking or missed sales due to fraud detection systems.

3. Defense Costs: Expenses incurred to prevent cyber incidents, such as firewalls and other security measures.

• Skewed Loss Distribution: Most studies show that the distribution of cyber losses is highly skewed, with a few large losses and many small losses. The median loss per incident is $200,000, but there is a small chance that losses can be 100 times higher.

In conclusion, while larger firms and specific industries face higher risks, the costs of cyber incidents are not increasing as dramatically as some alarmist studies suggest. There is a small number of large losses, while most incidents result in smaller losses.