6.5 Measuring the impact of cyberattacks

 < Day Day Up > 



The potential impact on organizations as a result of cyberattacks is shown in Table 6.2. At the simplest level, measuring the economic cost of direct damage to a target organization's computer systems and the cost to repair damage or restore systems and functionality can be measured by tracking the time that it requires technicians to perform the tasks necessary to restore systems.

Table 6.2: Impact of Cyberattacks on an Organization

Type of Impact

Direct damage to target organization's computer systems

Cost to repair damage or restore target organization's systems and functionality

Decrease in productivity of employees in target organization

Delays in order processing or customer service in target organization

Decrease in productivity in customer's organization because of delays in target organization

Delays in customer's business because of delays in target organization

Negative impact on local economies where target organization is located

Negative impact on local economies where target organization's customers are located

Negative impact on value for individual investors in target organization

Negative impact on value of investment funds holding target organization securities

Negative impact on regional economies where target organization, customer, or investor organizations are located

Negative impact on national economies where target organization, customer, or investor organizations are located

When a cyberattack affects tens of thousands of organizations, the challenge of collecting data on the cost to restore systems is almost insurmountable for most investigators. Although the methodology required to track time expenditures and corresponding cost for a single organization is straightforward, the resources required to collect data from thousands of organizations and compile it into a form that is usable for litigation purposes is not readily available to the criminal justice system.

Many organizations are unsure how to measure a decline in productivity that results from a cyberattack. In addition, the focus on restoring operations as quickly as possible usually overrides the desire to collect data on the loss of productivity or the many other types of impact that a malicious code attack can have on an organization. Regardless of the difficulty or the lack of interest in collecting data that can be used to quantify the types of impacts shown in Table 6.2, the potential oscillatory effect that downtime of computer systems has on an organization will be related to the duration of system outages. The impact on an organization can also be viewed in terms of when the impact may occur:

Immediate economic impact can include damage to systems that requires human intervention to repair or replace, disruption of business operations, and delays in transactions and cash flow.

Short-term economic impact can include loss of contracts with other organizations in supply chains or the loss of retail sales, have a negative impact on an organization's reputation, and be a hindrance to developing new business.

Long-term economic impact can include a decline in market valuation, erosion of investor confidence, decline in stock price, and reduced goodwill value.

Cyberattacks can also impact individual citizens. The potential impact on individuals is shown in Table 6.3. Individual citizens can suffer the same basic damages that a large organization suffers when cyberattackers and malicious code run amuck on the Internet. Individual citizens must also pay the price to repair damage or restore their computer systems and, thus, the functionality those systems provide. As with the impacts on organizations, it is more complicated to measure other types of damage and impact. In the case of the individual citizen, the potential oscillatory effect of system outages can have far reaching consequences on the family, social groups, and communities of which the individual is a member.

Table 6.3: Impact of Cyberattacks on Individuals

Type of Impact

Direct damage to target individual's computer systems

Cost to repair damage or restore target individual's computer systems and functionality

Decrease in productivity of target individual

Loss of contribution to employer of target individual

Loss of contribution to family of target individual

Loss of contribution to social groups of target individual

Loss of contribution to community of target individual

Decline in economic participation in target individual's local community

Decline in economic participation in target individual's region

Decline in economic participation in e-commerce sector

Potential long-term decline in economic participation in e-commerce sector

It is important to consider the impact of computer crimes on individuals and the social groups of which individuals are members. The home computer has become a far more significant tool and platform for participation in society and the workforce. Large numbers of people telecommute on at least a part-time basis. This can range from work-at-home days to the ability to check e-mail prior to departing for the airport when people are not going to stop at the office that morning.

In addition, the use of home computer systems for participation in educational activities and programs has become commonplace. Home computer systems are also used to aid household management, check recreational schedules, and conduct e-commerce. The ability to use home computer systems in these manners allows individuals and families to maximize the use of their time and potentially save on transportation costs.

The impact of cyberattacks can also be examined from a societal perspective. Table 6.4 shows how the effects of malicious code attacks on organizations and individuals are reflected in a society. Attacks that cripple computer systems consume resources that may otherwise be expended for other purposes.

Table 6.4: Impact of Cyberattacks on Societies

Type of Impact

Disruption of individual activities

Disruption of family activities

Disruption in participation in education

Disruption in social-group activities

Disruption in community activities

Disruption of local commerce and e-commerce

Disruption of government operations/functions

Disruption of business activities

Disruption of seasonal social calendars

The process of collecting data on the impact of cyberattacks is certainly possible, but it is very cumbersome and expensive. When cyberattacks impact only one organization, the complexity of the data-collection process will depend on the extent of damage and the duration of system outages. In the case of cyberattacks, several key data points are needed to determine the immediate economic impact caused by the attack.

Actual loss means the reasonably foreseeable pecuniary harm that results from the offense. In most computer-crime cases, actual loss includes the following pecuniary harm, regardless of whether such pecuniary harm was reasonably foreseeable:

  • Reasonable costs to the victim of conducting a damage assessment

  • The cost of restoring the system and data to their condition prior to the offense

  • Any lost revenue due to interruption of service

    Table 6.5: Data Required to Determine Impact of Cybercode Attacks in an Organization

    Types of Data

    Time required to inspect systems to detect malicious code or deliberately placed code resulting from the attack.

    Time required to eradicate the malicious code or deliberately placed code resulting from the attack.

    Time required to apply patches to systems.

    Time required to certify systems and return to service.

    Time required to determine which, if any, files were damaged, altered, or stolen.

    Time required to restore files that were damaged or altered.

    Salaries, benefits, and overhead that comprise the per-hour costs of technicians working on computer system restoration and file recovery.

    The value of stolen data or information.

    Salaries, benefits, and overhead that comprise the per-hour costs associated with activities required as a result of data being stolen, such as canceling credit card numbers and issuing new cards.

    Hours of lost productivity because of system outages.

    Salaries, benefits, and overhead that comprise the per-hour costs of employees with reduced productivity.

    Lost revenue because of system outages.

Table 6.5 shows the data required to determine the economic impact of a malicious code attack on an organization.

Calculating the cost of restoring systems is the easiest step in determiningthe damage caused by a computer system attack. The hours spent on the applicable activities are multiplied by the per-hour costs, as shown in Table 6.6. The time required for the various activities will depend on the nature of the attack, the type of systems attacked, and the extent of damage that occurred. The per-hour costs will depend on the skill level required to perform the work, local salary levels, and local benefits and overhead costs.

Table 6.6: Calculating the Cost of Restoring Systems after Cyberattacks

Activity

Measure (hours)

Time required to inspect systems to detect malicious code or deliberately placed code resulting from the attack

 

Time required to eradicate the malicious code or deliberately placed code resulting from the attack

 

Time required to apply patches to systems

 

Time required to certify systems and return to service

 

Time required to determine which, if any, files were damaged, altered, or stolen

 

Time required to restore files that were damaged or altered

 
 

Total Hours

  

Salaries, benefits, and overhead that comprise the per-hour costs of technicians working on computer system restoration and file recovery

$ cost per hour

  

Multiply the number of hours by the hourly costs

$ total costs

The complexity of calculating the cost of lost productivity will vary by organization. Some organizations have a good grasp on the productivity levels of individual employees or workgroups. This is especially true in organizations that have quota systems covering activities such as the number of sales calls per hour that must be made. Other organizations may have determined the value of an employee hour because there was a risk analysis or cost-benefit analysis performed to determine the return on investment for computer security expenditures or performance-enhancing software that is deployed in the organization. However, in the absence of such data, an organization will need to build the data-collection process from the ground up, which can be a time-consuming and expensive activity.

Measures of lost revenue because of system outages can be as complex as calculating lost productivity. A shortcut to determining lost revenue is to use the revenue of comparable days as a benchmark. If systems were out for the entire day on a Thursday and Friday during the summer, the revenue levels of previous similar days can be used as a benchmark. It is important to factor in trends in revenue decline or growth.

If revenue on an average day has increased by 10 percent for the last several months compared with one year prior, then the summer days of the previous year can be used with 10 percent added. Conversely, if revenue on an average day has declined by 10 percent, then the revenue level of comparable days one year prior can be reduced by 10 percent. In this example it is also important to examine revenue during the following week to determine if any sales during those days would have occurred during the days of the system outages.

The value of stolen data or information can be extremely difficult to establish unless there are actions required as a direct result of the data being stolen. Salaries, benefits, and overhead that comprise the per-hour costs associated with activities required as a result of data being stolen, such as canceling credit card numbers and issuing new cards, can be determined in a manner similar to that used to calculate the restoration of computer systems. In cases where data is stolen, and there is a regulatory consequence for the data being compromised, such as fines or required audits because of the compromise, then those resulting costs can be used to determine partially the impact of the data being stolen.

In addition to not wanting to participate, many organizations do not have the resources to collect such data. There is also very little motivation to spend time and money when it is likely that the organization will not be compensated for the cost of collecting data or for any damages incurred because of the attack. Collecting data from organizations in one country poses many challenges, but collecting data from organizations in dozens of countries around the world is extremely difficult.



 < Day Day Up > 



Implementing Homeland Security for Enterprise IT
Implementing Homeland Security for Enterprise IT
ISBN: 1555583121
EAN: 2147483647
Year: 2003
Pages: 248

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net