There is a 28 % chance businesses will experience a data breach of at least 10 000 records, harming intangible assets like reputation, intellectual property rights, expertise and know-how. An EU initiative explored the economics of cybersecurity to address the lack of quantitative information by decision-makers in prioritising security investments.

Digital Economy

Security

In 2018, the estimated cost of a data breach rose to EUR 3.5 million over the previous year, an increase of about 6.8 %. Most companies still adopt a basic remediation strategy since data breaches may cost less than preventive security measures. What’s more, the measurement of the real impact of incidents concerning the costs needed for full recovery is a challenging task. Overall, today’s models are inadequate. The EU-funded HERMENEUT project enables organisations to better evaluate their exposure to cyber risks, and the impact that cyberattacks would have on an organisation’s assets by estimating the potential financial losses. “We paid special attention to assets such as reputation, human capital and brand,” says Paolo Roccetti, senior researcher and team leader at project coordinator Engineering Ingegneria Informatica. “We kept things simple enough so that organisations with little cybersecurity knowledge can also use the proposed solution.” The HERMENEUT team developed a methodology and a decision support tool to assess and quantify the potential economic consequences of cyberattacks on a business’ assets, and the losses related to its intangible assets. The open-source risk assessment tool integrates the models and the knowledge created during the project. It provides users with novel functionalities to facilitate the estimation of tangible and intangible costs of an attack, and a risk- and a cost-based analysis and assessment of proper countermeasures for protection.

Supporting holistic and simpler cybersecurity assessments

Another innovative result was the holistic approach to analysing the cost-benefit of cybersecurity and fulfilling many key goals in the fight against cyberattacks. These include the development of an improved assessment model for organisational vulnerabilities and risks to tangible and intangible assets and a cost model to identify and measure intangible costs to organisations. The HERMENEUT solution is designed to support cybersecurity decision-making by chief information security officers, executives and board members in a broad range of companies, from SMEs to large organisations. “This makes business entities autonomous in establishing a first cyber posture without the huge costs of having a risk assessment performed by a consultant that’s often too complex to be re-executed and updated,” Roccetti reports. Cyber posture is the measure of a company’s resilience to cybersecurity threats.

Fostering a culture of risk management

Lastly, project partners outlined a series of policy recommendations on economic models of cyber costs and risk management solutions, and how to leverage existing best practices. The aim is to inform European policymakers and other key stakeholders, such as regulators, market operators and insurance companies, on the key priorities in this area, and where Europe should invest. A key player in the digital transformation of public and private companies and organisations with about 11 000 professionals across 65 locations around the world, Italy-based Engineering Ingegneria Informatica is building on the project outcomes. It’s looking to bring the solution closer to market. “Thanks to HERMENEUT, individual organisations and several business sectors now have at their disposal a suite of tools to improve their assessment of the vulnerabilities to cyberattacks, and their tangible and intangible assets that are at risk,” concludes Roccetti. “They will also help decision-makers estimate cyber risk and understand which mitigations to adopt.”

Keywords

HERMENEUT, cyberattack, cybersecurity, intangible assets, vulnerabilities, data breach, cyber risk, risk assessment, risk management