Technology & Innovation

Measuring the soft costs of cybercrime: a hard problem in need of a solution

May 20, 2013

Global

May 20, 2013

Global
Riva Richmond

Former editor

Riva Richmond is Director of Digital Media at The Story Exchange, a nonprofit digital media project that tells the stories of women entrepreneurs in articles and videos. Previously she worked as a Senior Editor with The Economist Intelligence Unit's Thought Leadership team in New York. She has reported and written about technology more than a decade, much of that time focused on information security and privacy issues. Prior to her current position, Riva was a freelance journalist writing for The New York Times, Entrepreneur.com, The Wall Street Journal and other national publications.

Contact

Calculating the costs of cyberattacks is vexing, in large part because of the difficulty in measuring potentially enormous “soft costs”. No accountant will ever write a check for these damages, yet they can be large enough to harm a firm’s value and ability to do business.

Cyberattacks come in many forms, and each can entail soft costs of different kinds and magnitudes. Cyberthieves could steal sensitive personal data, taking the trust of current and future customers with them. “Hacktivists” could immobilize a website, causing customer frustration and bad press. Competitors could lift product designs and take over the market with low-cost copies. And hostile nations could disrupt or destroy services and facilities vital to a healthy economy.

Attempts to understand soft costs are hamstrung by an absence of quality studies, in large part attributable to lack of data. Measuring these costs is complex because they are indirect and often entail intangibles such as trust and goodwill. And many of these costs do not involve immediate outlays, but, instead, estimates of potential losses and extra expenditures that might occur in the days, months and even years ahead. Indeed, due to the difficulty of quantifying soft costs, most cyberattack cost studies consider only the easier-to-measure “hard costs” of defence and response.

To date, the only type of soft costs to be examined closely are those tied to data breaches of sensitive personal information—thanks to US laws requiring disclosure and intense press focus. The spotlight is shifting to theft of intellectual property (IP), particularly by Chinese rivals, and emerging assaults on “critical infrastructure” by hostile nations. These attacks involve alarming threats to the health and well-being of firms and whole economies, yet there are no rigorous studies of soft costs that they could entail.

Slippery measurement problems

A look at two types of soft costs—lower profits following theft of customer information and losses caused by leaked IP—illustrates how the statistical foundations of most existing measures are disappointingly weak.

Breaches of customers’ personal information can lead to lower profits if existing customers flee or buy less and future customers cost more to acquire. These costs can kill. In 2007, Verus, a US medical-IT contractor, folded about two months after its reputation was destroyed by the leakage of patient financial information from five hospitals. Verus, however, is one of very few straightforward examples of business failure—the consequences are rarely this dramatic.

Measuring such reputational costs is extremely difficult, and attempts to do so have attracted criticism. The US-based Ponemon Institute, a research firm that produces the most widely cited figures on soft costs, puts customer-related damage at well over half of all economic damages from data breaches. Its survey asks companies how many customers they will likely lose following an attack and how hard it will be to attract new ones. However, resistance to discussing breaches results in small sample sizes—typically around 50 companies—that are not randomly chosen, though the firm says it works to make its sample representative. Moreover, Ponemon surveys companies soon after a breach, thus making estimates more assessments of risk rather than tallies of actual costs. Firm founder Larry Ponemon says past forecasts have been “in the ballpark” of actual costs.

Sometimes initial assessments can be stratospheric. The total cost of a March 2011 data breach at Epsilon, a US email marketing firm, was initially pegged at $3bn to $4bn, including direct costs and lost business, by CyberFactors, a cyber data firm. But Epsilon reported 38% revenue growth that year, up from 19% in 2010. “Our clients stood by us, and we emerged even stronger,” because of actions it took to tighten security and assist clients, Epsilon’s parent company Alliance Data Systems said in its annual report.

Lofty estimates have led prominent experts to argue that soft costs are overhyped. And the fact that cost analyses often come from the security industry feeds suspicion. “Anyone who does not offer a strong sceptical eye on industry reports does a disservice to his or her own company and industry,” says Allan Friedmann, research director of the Center for Technology Innovation at the Brookings Institute, a US think tank. “There can be conflicts of interest.”

Meanwhile, measuring soft costs from theft of IP has often amounted to back-of-the-envelope calculations. In late 2011, the UK Cabinet Office and Detica, a consultancy, said British businesses lost £9.2bn annually to IP theft. But the figure was based on the likely value of IP to the British economy, adjusted by estimates of the probability of IP theft and related revenue impact, a questionable methodology at best. There is “an enormous gap between [such estimates] and the experience of real companies,” says Ross Anderson, professor of security engineering at Cambridge University.

IP theft can bring reputational costs as well as impair long-term profitability and competitiveness. For instance, Canada’s Nortel Networks, a one-time telecom giant, was systematically pilfered by Chinese hackers for more than a decade. While Nortel had many problems, cheap copies of its products that emerged from China are believed to have contributed to its 2009 bankruptcy.

Soft costs are undoubtedly tough to work out, but a hard slog through company data could shed more light. For instance, damages from IP theft could be better understood by tallying deals lost to rivals, calculating wasted research-and-development spending and evaluating shifts in overall firm finances.

Damage to whole economies from cyberattacks is even tougher to measure, though clearly a price is paid in jobs and economic growth as businesses lose competitiveness and suffer disruptions. Amid a rise in cyberattacks tied to geopolitical conflicts, governments around the globe are keen to know how high the price tag might rise, yet have little insight without hard data.

What should companies do?

In the absence of good information, what should executives do? First, move beyond the hype. While cyberattacks certainly elevate the danger of reputational damage and loss of market share, firms have considerable power to contain soft costs if they treat them as risks to be managed.

Mike DuBose, former chief of the Computer Crime and Intellectual Property Section at the US Department of Justice and now a senior executive at Kroll, a US security firm, recommends starting with an incident-response plan. Companies should investigate and understand the extent of cyberattacks as quickly as possible and communicate with affected parties in an honest and deliberate way. Firms that inspire confidence in customers and investors through responsible action to address incidents and make systemic changes to improve their security can hold down soft costs. Indeed, investors are more interested in how companies react to attacks than in the attacks themselves, according to a February 2013 survey by Zogby Analytics, a pollster.

The available data, though scant, suggest reputation-related soft costs are decreasing, perhaps because the public is growing accustomed to cybercrime. Yet a mishandled data breach, prolonged business disruption or leak of strategic IP could seriously wound a company.

With so much on the line, chief executives, together with other members of the C-suite, must honestly weigh the risks to their business from the full spectrum of cyberattacks their firms might experience. They must then make the kind of wise strategic and defensive choices that can safeguard their future. And, finally, they must be more forthcoming about the toll cybercrime is taking on their firms. Only with more data can we can hope to understand the true costs and keep them at bay.

Enjoy in-depth insights and expert analysis - subscribe to our Perspectives newsletter, delivered every week