Cyber attacks: financial quantification of cyber risk to model losses according to the threat
While cyber-attacks sometimes have a political, governmental or espionage objective, 46% of them are purely financial. According to a global data breach study by IBM Security, the average cost of a cyber-attack in 2022 will be $4.35 million.
By cyber-attack we refer to the ANSSI definition: “A set of actions carried out in cyberspace consisting of infiltrating, surreptitiously or under false pretences, the computer systems of an organisation or individual and seizing data for use“.
While it is said that an attack “costs money”, it is no less true that organisations must be able to model these financial losses, the extent of which will depend on a number of internal and external factors – the nature of the attack (method and motivation), the organisation’s defensive posture, the perimeters affected, etc. – that must be taken into account :
- What type(s) of loss (direct and indirect) is an organisation exposed to in the event of an attack?
- What types of threats can public and private organisations face and what are the consequences?
- How can these losses be quantified and modelled to manage the risk?
- What is the role of cyber risk quantification in modelling these losses?
Losses in the short term
Firstly, the interruption or slowdown of activity caused by the attack represents an obvious financial loss for most businesses. If information systems are brought to a standstill, the company is no longer able to produce and/or sell, resulting in a more or less significant loss of earnings depending on the duration, period of activity and extent of the incident on the information system.
Secondly, it may be affected by technical costs. For example, it will be necessary to set up an investigation to understand how the cyber attack occurred and the damage it caused to the information system. Next, it will be necessary to take steps to ensure regulatory compliance. From 2025, cybersecurity regulations will be tightened in Europe, with new requirements that many businesses and organisations will have to adopt. To find out more, read our article on DORA and NIS2. If a complaint is made, legal costs may be added to the list of incident costs.
Cyber-attacks also have an impact on an organisation’s image, and many organisations and companies do not want to communicate about this. However, it is sometimes necessary to manage the incident from a crisis communications perspective and inform customers and stakeholders that you have been affected, as in the case of a data compromise, their personal information may have been exfiltrated. The reputation of the company or organisation may have been damaged and investment in public relations and communications may be required to restore its image.
A cyber attack can be perceived as a symptom of a lack of security. As a result, investment in enhanced cyber security policies can be made very quickly after an incident in order to reassure stakeholders.
Damage caused in the long term
Cyber attacks also cause less visible damage. It can lead to a loss of confidence on the part of the company’s customers, but also on the part of the employees themselves, who may suffer directly as a result of the incident. As a result, the organisation may find it difficult to recruit, which can be significant in certain strategic sectors where there are few candidates. There may also be a loss of value in commercial partnerships and a slowdown in business activity.
From a financial perspective, a cyber-attack results in a loss of brand value. If the company is listed on a stock exchange, the value of its shares may be devalued to a greater or lesser extent, affecting investor confidence. There may also be an increase in the amount of cyber insurance taken out by the victim company. Depending on the financial impact of the incident, the cyber attack may also lead to an increase in the company’s or organisation’s bank debt.
A wide range of cyber threats and consequences
There is no single model for a cyber attack. The complexity of the cyber threat lies in its unpredictability.
Ransomware is one of the most common threats to most industries. Motivated by the lure of profit, this virtual hostage-taking of an information system is the most talked about threat in the media. This media coverage tends to make public opinion more forgiving, despite the impact of the attack. This situation makes the indirect effects less damaging for the organisation, particularly in terms of restoring its image.
DDoS attacks are the most financially damaging of all attacks. The slowdown or cessation of activity is difficult to manage and pay for, whether for businesses or public organisations. It is all the more damaging when it occurs during periods of critical activity for the economic sector (year-end celebrations, major sporting or political events, etc.). Slowing down or stopping business altogether is one of the threats most feared by organisations, because of the scale of the losses that can be caused by such a situation. In some cases, the availability threat can be combined with other threats, such as ransomware.
Data leakage is the attack with the most indirect impact. The incident has a significant impact on the organisation’s image and has negative long-term effects. The people whose personal data has been stolen – customers, employees, users – are concerned and tend to criticise the organisation for its lack of cyber security. This data can be used for a variety of purposes, depending on the context: resale, bringing the company into difficulties, etc. In addition to personal data, it can also be data related to the company’s R&D or intellectual property. This can hamper its development and innovation and damage its competitiveness, sometimes for a long period of time.
Finally, cyber espionage is still the preserve of state actors. It is often difficult to detect and prove, but it has many undesirable effects. Not only does it damage the competitiveness of strategic companies, but it can also undermine government action in a variety of areas where a public organisation’s information system has been compromised.
Why quantify your cyber risk to model your losses?
Cyber Risk Quantification (CRQ) is a method for visualising the financial impact of losses caused by different attack scenarios. Using financial indicators, it is then possible to put in place an efficient cyber security strategy.
Citalid offers a platform that combines calculation models based on the FAIR (Factor Analysis of Information Risk) method and incorporates Cyber Threat Intelligence data to enable organisations to understand and prioritise risks by calculating their financial impact. Citalid’s approach is to use probability distributions which, at the end of the calculation, provide a ‘mode’ (i.e. the most likely value of a loss). In this way, it is possible to provide a quantitative analysis of the organisation, with a precise range of values for the estimation of potential losses.
The Citalid platform uses several calculation models:
- Frequency calculation – we calculate the frequency of targeting (the organisation is targeted, but the attack is not necessarily successful) and the frequency of successful attacks.
- Vulnerability calculation – using the relationship between the type of cyber threat actors likely to target the organisation and the organisation’s defensive maturity, we can estimate the percentage of times the attacker is likely to attempt a successful attack.
- Financial loss calculation – this model provides the amount of financial loss at the time of the cyber attack, which is useful for estimating the financial exposure to cyber risk.
In order to obtain reliable indicators, the calculation is based on the models mentioned above, supplemented by information about the organisation being analysed in terms of its resilience, the criticality of its business or the nature of its commercial objectives. Several “draws” are then made to calculate the losses, in order to establish a range of costs. This provides personalised, contextualised data to help you make confident decisions.
These calculations are then performed for each of the types of threat most likely to be encountered by the organisation :
- Ransomware (excluding double extortion) ;
- Data leakage;
- Espionage;
- Bank fraud;
- DDoS ;
- Sabotage;
- Ransomware.
The types of losses considered by the models used by Citalid depend on the attack scenario, but here are a few examples:
- Productivity disruption ;
- Churn rate;
- Cost of investigation team;
- Cost of corrective action;
- Cost of legal notification;
- Crisis communication costs;
- Legal compensation;
- Restoration of brand image
The Citalid platform makes it possible to quantify the potential losses that an organisation could suffer in the event of a cyber attack. Quantifying these losses and translating them into financial terms means that all of an organisation’s stakeholders can be involved in cybersecurity decisions, and that you can negotiate an insurance policy with the insurer that shows which threats are most likely to target you.
