**7. Cost of a successful cyber-attack**

By our nature, humankind often finds it easier to respond or retaliate than to plan and prepare. Analyzing every potential outcome of a scenario can consume significant time and resources. Surely it is cheaper to only respond to the successful cyber-attacks than commit resources to risk management and incident response?

Recent history has shown this idea to be erroneous. It is often impossible to calculate the precise damage of a cyber-intrusion. The consequences of an attack can be far-reaching and long-term. The damage may often be irreparable; no amount of money can undo what has been done. Some of the effects of a cyber-intrusion include:


both. They are persistent, indicating that the attacker has a defined objective and often will not quit until their goal is realized. This can often lead to attacks being multi-pronged, where the organization's systems and security are studied and monitored for months before an actual attack, or series of attacks, take place. APT's pose a significant threat with a high probability to succeed and be damaging to an organization. This can indicate external funding or support that provides resources for the development and deployment of the

The only positive aspects of APT's are that they are targeted against a specific organization and hence are much less prevalent than other threat types. In other terms, they are akin to the sniper who studies his prey and observes its habits. The sniper waits, sometimes for days, for the perfect moment to take his shot, with a high degree of accuracy. It is very difficult to locate the sniper before the attack, and after the attack, the damage is localized but still significant, and often costly. Non-APT attacks in contrast may be thought of as 'the shotgun approach', or 'spray and pray' tactic of many video gamers. The attacker will point in a general direction, and blast away, hoping to hit something. With enough shots, a kill is guaranteed. These attackers generate a lot of noise, and can do a lot of damage if they are lucky enough to land a hit. If unsuccessful, an attacker will often move on to another target.

Success at a low cost, against any target, is more important than any specific target.

This next section looks at some of the costs a cyber-security breach can incur.

**7. Cost of a successful cyber-attack** 

 Financial loss from service unavailability Loss of customer/client confidence

Market shift to competitors

Fines from regulatory bodies

Theft of intellectual property

Cost of informing customers of theft

Cost of recovery

Loss of human life

resources to risk management and incident response?

been done. Some of the effects of a cyber-intrusion include:

Cost of security measures to prevent a repeat attack

Lawsuits and liabilities from those who have had information stolen

Cost of staff or consultants to investigate and identify the method of attack

Understanding the type of attack in the context of its objective and sophistication allows those responsible for information systems to gain insight to the potential damages caused.

By our nature, humankind often finds it easier to respond or retaliate than to plan and prepare. Analyzing every potential outcome of a scenario can consume significant time and resources. Surely it is cheaper to only respond to the successful cyber-attacks than commit

Recent history has shown this idea to be erroneous. It is often impossible to calculate the precise damage of a cyber-intrusion. The consequences of an attack can be far-reaching and long-term. The damage may often be irreparable; no amount of money can undo what has

attack.

The effects of cyber crime are listed above. Some previous sections have said other things about cost in specific instances. Many successful cyber attacks have been widely reported in the media, yet the frequency of successful cyber attacks continues to increase, along with associated costs.

In their second annual report, the Ponemon report (Ponemon Institute, 2011) had the following key takeaways:


The time it takes to resolve a successful cyber attack is a key factor in the cost. The sooner the organization detects, analyzes and contains the attack, the lower their recovery and postrecovery costs will be, and the lower the overall cost will be. Therefore, it is important that all organizations constantly be on the alert against cyber attacks.

Table 2, taken from this Ponemon report, gives the average annualized cyber crime cost, weighted by the attack frequency. While the institutions studied in this report are not necessarily representative of the industry as a whole, the data are highly informative.


Table 2. Types of attacks and their associated costs (Ponemon Institute, 2011).

Cyber Security 29

exploits a vulnerability the first time has the advantage of surprise. No matter how rapid the response by software developers and security vendors to a zero-day exploit, the black hats have a significant window of opportunity to attack vulnerable systems until a remediation and/or a signature for the malware is deployed to the defenses on the platform. Cybersecurity will always be a race between malefactors who want to compromise systems and the vendors, developers, and legitimate users of computing systems who want to secure

A major hurdle is that decision makers often think like the French government before WWII, they think their large investment in firewalls will protect them while the reality is that new software and hardware are continuously being deployed to add functionality and remediate vulnerabilities and no static defense can provide protection in a dynamic environment. Experience teaches that the fixes often create new vulnerabilities. At the same time malefactors are continuously searching for vulnerabilities and creating exploits for the vulnerabilities that they isolate. Thus the problem becomes one of continuously defending a relatively slowly changing target from an unknown, rapidly moving and

In the current world of IT, attackers have a huge advantage. The majority of machines deployed in businesses and homes run the same platform software. Microsoft platforms got the reputation for having poor security because their platform provided a large set of targets that made the value of an exploit much greater. Finding vulnerabilities and developing exploits is a technically demanding and uncertain process. A large monoculture to attack provides the incentive to invest in exploits. There is now an active underground market in zero-day exploits that are sold to the highest bidder. An active market provides incentives for skilled individuals to invest time and expertise to create

A likely question at this stage is what can be done? How can we realistically and affordably protect our information under this continuous barrage of attacks? Often in these circumstances, managers may find themselves facing the responsibility to choose between large numbers of different technology-based solutions. This can quickly overwhelm, and actually create more problems than it solves. In order to implement effectual security controls, we must first understand the risks posed by different threats to our business

There is no shortage of security frameworks for analyzing risk and implementing security controls, and plenty of excellent books for a variety of audiences on this topic. For the purposes of this chapter, we shall present security implementation from a greatly simplified model that should enable an organization to effectively prepare and respond to security

The Cyber Security space can be broken down into three areas, or domains. These are:

their systems.

evolving attacker.

"products" that are in demand.

**10. Implementing security** 

model.

threats.

 Prepare Defend

Table 1 includes only the direct costs. There are also indirect costs, including increasing frustration on the part of computer users, increased time spent on working with necessary security measures, lost business opportunities, and a tarnished reputation.

Worldwide, cyber crimes have cost in the neighborhood of \$388 billion in 2010, according to the 2011 Norton Cybercrime Report (Norton, Inc., 2011). This figure includes both direct and indirect costs, and is a staggering amount. And unfortunately, this figure has only been increasing for the past several years, with no sign of major improvement.
