EU Struggles to Determine Growing Cost of Cyberattacks

After painstakingly calculating the true cost of cybercrime in the European Union researchers conclude it’s nearly impossible to come up with hard numbers.

In a study released this week by the European Union Agency For Network And Information Security (ENISA) researchers assert that it’s vitally important to identify the magnitude of cybercrime against the European Union. But despite an abundance of studies addressing the economic impact of cybercrime, “the measurement of the real impact of incidents in terms of the costs needed for full recovery proved to be quite a challenging task.”

The ENISA study, titled The cost of incidents affecting CIIs blames a lack of a unified and standardized approaches in developing studies that are too often driven by business interests rather than actual concerns of stakeholders. The paper calls for the development of new studies with consistent methodologies, common objectives and unified analysis that consider all variables that define the EU’s critical information infrastructures.

The ENISA made an effort to draw conclusions from a pool of 17 existing research studies studies conducted between 2014 and 2015 from researchers at a variety of public and private organizations such as Oxford Economics (Cyber-Attacks: Effects on UK Companies), Ponemon Institute (Cost of Data Breach Study: Global Analysis) and Verizon (Data Breach Investigation Report). By selecting common threads between the studies, the ENISA said, it was able to identify trends useful for developing a general impression on of European Union  (EU) risks.

For example, the 32-page report, divined several problem areas when it came to business sectors impacted by cyber-security incidents in the EU. Finance, information and communication technologies (ICT) and energy sectors have the highest incident costs related to cyberattacks and remediation.

The most common attacks facing the EU’s hardest hit industries, which include the financial sector and ICT, are DoS/DDoS attacks and malicious insiders. Both are responsible for half the costs associated with cybercrime in the EU annually. Having the least economic impact are virus, worms and Trojans along with botnets, according to the ENISA.

Overall EU Common Threats: Threats identified within studies.

Overall EU Common Threats: Threats identified within studies.

Based on a meta-review of the 17 studies, ENISA estimates the cost of cyber attacks can cost EU member countries as much as 1.6 percent of their GDP or $41.3 billion annually for the EU as a whole.

But the farther ENISA drilled down into each of the studies the more divergent the conclusions. For example, the Ponemon Institute reported losses associated with cyberattacks in Germany run between $474,800 to $22 million per company. Another report estimates German losses between $2.6 million and $17 million.

“In this context data may mean any kind of information – from confidential information and personal identifiable data, to logs and other types,” the report stated. “Beyond understanding the context, (future studies) should also focus on extracting useful information for their businesses, such as: major threats, recovery costs, affected industries and assets, best practices etc.”

Policy makers, CEOs and CFOs can benefit from these types of studies in terms of future decision making, policy development and business continuity the report stated. ENISA said future studies by “organizations that develop such analysis whether being governmental, consultancy companies, cyber-security related companies can also benefit from this review by improving their frameworks/methodologies, providing more details and transparency on how information was collected and processed, dimension, constituency and representativeness of the sample size, economic sectors covered, types of cyber-threats/incidents covered, challenges identified during the study.”