Toward enhancing the information base on costs of cyber incidents: implications from literature and a large-scale survey conducted in Germany-Reference-Cited by-同舟云学术

Toward enhancing the information base on costs of cyber incidents: implications from literature and a large-scale survey conducted in Germany

Published:2022-05-31 Issue:2 Volume:2 Page:79-112
ISSN:2635-0270
Container-title:Organizational Cybersecurity Journal: Practice, Process and People
language:en
Short-container-title:OCJ

Author:

von Skarczinski Bennet Simon^ORCID,Dreißigacker Arne^ORCID,Teuteberg Frank^ORCID

Abstract

PurposeLiterature repeatedly complains about the lack of empirical data on the costs of cyber incidents within organizations. Simultaneously, managers urgently require transparent and reliable data in order to make well-informed and cost-benefit optimized decisions. The purpose of this paper is to (1) provide managers with differentiated empirical data on costs, and (2) derive an activity plan for organizations, the government and academia to improve the information base on the costs of cyber incidents.Design/methodology/approachThe authors analyze the benchmark potential of costs within existing literature and conduct a large-scale interview survey with 5,000 German organizations. These costs are directly assignable to the most severe incident within the last 12 months, further categorized into attack types, cost items, employee classes and industry types. Based on previous literature, expert interviews and the empirical results, the authors draft an activity plan containing further research questions and action items.FindingsThe findings indicate that the majority of organizations suffer little to no costs, whereas only a small proportion suffers high costs. However, organizations are not affected equally since prevalence rates and costs according to attack types, employee classes, and other variables tend to vary. Moreover, the findings indicate that board members and IS/IT-managers show partly different response behaviors.Originality/valueThe authors present differentiated insights into the direct costs of cyber incidents, based on the authors' knowledge, this is the largest empirical survey in continental Europe and one of the first surveys providing in-depth cost information on German organizations.

Publisher

Emerald

Reference71 articles.

1. American Association for Public Opinion Research (AAPOR) (2016), “Evaluating survey quality in todays‘s complex environment”, available at: https://www.aapor.org/AAPOR_Main/media/MainSiteFiles/AAPOR_Reassessing_Survey_Methods_Report_Final.pdf (accessed 15 January 2021).

2. Accenture (2019), “The cost of cybercrime. Ninth annual cost of cybercrime study”, available at: https://www.accenture.com/us-en/insights/security/cost-cybercrime-study (accessed 20 January 2021).

3. A taxonomy of cyber-harms. Defining the impacts of cyber-attacks and understanding how they propagate;Journal of Cybersecurity,2018

4. Anderson, R., Barton, C., Boehme, R., Clayton, R., van Eeten, M., Levi, M., Moore, T. and Savage, S. (2013), “Measuring the cost of cybercrime”, in Böhme, R. (Ed.), The Economics of Information Security and Privacy, Springer, Berlin, pp. 265-300.

5. 2020 cybercrime economic costs: no measure no solution,2015

Cited by 3 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. A Bonus-Malus framework for cyber risk insurance and optimal cybersecurity provisioning;European Actuarial Journal;2023-11-08

2. Modelling maximum cyber incident losses of German organisations: an empirical study and modified extreme value distribution approach;The Geneva Papers on Risk and Insurance - Issues and Practice;2023-04

3. New advances on cyber risk and cyber insurance;The Geneva Papers on Risk and Insurance - Issues and Practice;2023-04