The importance of electronic information systems is obvious to all participants in the modern economy. When information fails to circulate, whole sectors of the economy are vulnerable. Finance, wholesale and retail trade, transportation, much of manufacturing, and many service industries would slow to a crawl without computers. Vital public services – utilities, national defense, and medicine – are equally dependent.
Information security – the safeguarding of computer systems and the integrity, confidentiality, and availability of the data they contain – has long been recognized as a critical national policy issue. Two current trends indicate that its importance is growing. First, the integration of computers into more and more aspects of moder life continues. Second, cyber-attacks, or breaches of information security, appear to be increasing in frequency, and few observers are willing to ignore the possibility that future attacks could have much more severe consequences than what has been observed to date.
The core issue, in both public and private sectors, is whether we are devoting enough resources to information security. Part of the answer must come from economic analysis. What are the costs, both historical and potential, of security breaches? How frequently can attacks be expected? Can these factors be quantified precisely, so that business firms and other organizations can determine the optimal amount to spend on information security and measure the effectiveness of that spending?
This report surveys the state of knowledge on the cost of cyber-attacks and the economics of information security. First, we summarize several studies that use stock market capitalization as a measure of the cost of cyber-attacks to victim firms. The studies find substantial short-term drops in the prices of shares of firms following the announcement of an information security breach: between 1% and 5% of market capitalization, with greater losses (up to 15%) recorded by some financial institutions where attackers had gained access to confidential customer records.
Second, we present summaries of the existing empirical data on costs attributable to cyber-crime and computer worms and viruses. What is available is a limited amount of survey data, which is frankly described by its compilers anecdotal, but is nonetheless widely reported in the press. Third, we analyze the reasons for the lack o statistical data: firms and organizations have strong incentives to conceal information about cyber-attacks, and there are significant uncertainties and measurement difficulties that limit our ability to specify the dollar amount at risk from information security breaches. Theoretical models that describe the returns to spending on information security shed some light on the size of potential losses, but – in the absence of better statistical data – assigning an overall figure to the cost of cyber-attacks remains highly speculative.
NANIEY++
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.