Cyberattacks are growing, but still nobody knows what they really cost

A single method of determining losses following a cyberattack needs to be introduced, according to the European Union Agency for Network and Information.
Written by Danny Palmer, Senior Writer

ENISA wants a single methodology for adding up losses to cybercrime.

Image: Taras Bahnyuk, Getty Images/iStockphoto

Despite the growing threat of cybercrime, it's almost impossible to know the real costs of cyberattacks due to the lack of a common methodology for calculating losses.

While reports on the estimated or actual costs of falling victim to hackers, an insider threat, or any other type of security breach, are common in themselves, a review by the European Union Agency for Network and Information Security (ENISA) says that the various different methods of determining cost means "the job of identifying the real impact produced proves to be quite a challenge".

ENISA's study comes shortly after European lawmakers approved new legislation that compels companies to report cyberattacks -- which should in theory make calculating losses easier.

ENISA's report, The Cost of Incidents affecting CIIs (Critical Information Infrastructures), points out how reports into the cost of cyberattacks use different methods of determining losses, including using annual economic impact per country, cost per incident, or per organisation, or even just estimated costs. This has "led to the development of rarely comparable standalone approaches that are often only relevant to a specific context and to a limited audience," ENISA said.

The report's authors, ENISA's Dr Dan Tofan, Theodoros Nikolakopoulos and Eleni Darra, therefore suggest that a single method of measurement needs to be determined in order to make studying the cost of cybercrime across different countries and industries simpler and more effective.

"Measurement of the real impact of incidents in terms of the costs needed for full recovery proved to be quite a challenging task. Determining cost values that are as close as possible to reality is a key to determining the real economic impact of incidents on EU's economy. Knowing the real impact can help define proper, coherent and cost effective (beneficial) mitigation policies," the report says.

ENISA also points to a "lack of a unified and standardised approach" in the production of reports into cybercrime, suggesting that such documents are driven by business factors instead of any real needs.

Future studies, the agency says, should be "done throughout a unified analysis, based on a well-structured methodology, and considering all critical variables that define the EU cyber-space" in order to reflect "the real situation".

"Determining realistic cost values is key to outline the economic impact of cyber incidents on the EU's economy. ENISA can play a significant role in the future, on developing work that take into account all critical variables that define the EU cyber-space, given that all the necessary resources have been allocated," ENISA's executive director, professor Udo Helmbrecht, said.


Editorial standards