Tallying the Cost of Cyber Crime

Organizations are typically targeted by more than one successful cyber criminal attack each week -- costing the average organization $3.8 million.

• By Stephen Swoyer
• 08/10/2010

The scheming of cyber criminals now has a price tag: a median cost of $3.8 million (U.S.) per organization, according to researchers at the Poneman Institute, which took an in-depth look at both the cost and the frequency of cyber crime at the behest of security software specialist ArcSight Inc.

Perhaps most startling of all, researchers found that shops were typically targeted by more than one successful cyber criminal attack each week.

The First Annual Cost of Cyber Crime Study, published earlier this month, comes with an important caveat: the Poneman/ArcSight study was extremely limited in scope and is based on just 45 U.S. organizations.

On the other hand, researchers met with and interviewed participants instead of simply surveying them. “The total time invested in recruiting companies, building an activity-based cost model, collecting source information, and analyzing results required nine months of effort,” researchers indicate.

Participants were asked to record the number and the frequency of attacks over a four-week period. During that span, shops logged more than 50 successful attacks per week -- 1.11 attacks per organization.

The median tally came to $3.8 million per organization, but the range spanned from $1 million to almost $52 million, according to researchers.

“Every corporation is vulnerable to thousands of cyber attacks that occur daily across all industries, causing information theft, disruption to business operations and serious financial loss,” said Dr. Larry Ponemon, founder and chairman of the Ponemon Institute, in a prepared release. “Through actions such as the appointment of a chief information security officer [CISO], the rollout of an enterprise security strategy, and investments in technologies capable of addressing sophisticated threats and managing complex security events, companies are able to reduce the financial impact of cyber crime.”

Not surprisingly, Web attacks, malware attacks, and attacks by trusted insiders accounted for nine-tenths of cyber criminal activity.

Some attacks are more costly than others. As a general rule, researchers say, attacks are costlier when they’re discovered later in the process. Malicious insider attacks are perhaps most costly of all: they take an average of 42 days to detect and can cost as much as $17,696 daily.

Costs related to information theft were assessed as most expensive, followed by costs associated with the disruption of normal business activities.

Finally, the process of detecting and fixing a cyber criminal attack accounts for nearly half (46 percent) of the total incident cost, according to researchers.

Labor costs comprised by far the biggest portion (at 49 percent for both direct and indirect labor costs combined), followed by overhead (at 8 percent) “amortized system costs” (at 30 percent), and costs stemming from lost productivity (at 13 percent).