One of the great challenges in the security world is estimating the cost of adverse events. Even simple questions such as: how much does it cost to recover from a data breach or remove a computer virus from a computer or a network are shrouded in uncertainty.
But that doesn’t stop folks from trying, and Ponemon Institute has done the most and – arguably – the best work on the topic of estimating the cost of various security events. That group is out this week with another report that, among other things, finds that the average cost to businesses to recover from a successful phishing attack is $300,000. The same report puts the average, annual cost to contain a malicious software infection $1.9 million.
Lost productivity was the biggest cost driver of successful phishing attacks, whereas clean up and incident response accounted for most of the costs of remediating malware attacks, according to Ponemon’s report, The Cost of Phishing & Value of Employee Training.
For the report, Ponemon surveyed 377 IT security employees at a range of organizations. The study was sponsored by Wombat Security Technologies, Inc. which offers security awareness training services.
As to how the company arrived at those numbers? There’s the tricky part. As in most reports of this type, Ponemon relied on survey responses and estimates from the 377 IT professionals they polled to provide the raw data on which the estimates were based.
In the case of the $1.9 million figure for the cost to remediate a malware infection, for example, Ponemon broke the task of “remediating malware” into six, constituent tasks and then had respondents estimate the number of hours, annually, their organization devotes to each. They include planning, capturing threat intelligence, evaluating that intelligence, investigating incidents, cleaning up after incidents and documenting the incident and response. The annual cost to contain malware is based on the hours to resolve the incident. Figure 2 shows the cost to contain malware attacks each year for an average-sized organization using an average hourly labor rate for US-based IT security practitioners. (That’s $62.2o/hour if you were wondering).
To estimate the cost of a successful phishing attack, Ponemon takes that $1.9m per year figure and extrapolates a rate of malware infections stemming from phishing attacks of 11 percent, then calculates the cost of malware remediation attributable to phishing at just over $208,000 annually. FTC Commissioner Julie Brill will speak at the Sept. 10th Security of Things Forum in Cambridge, MA. Click the image to reserve your place!
Of course, much malware is not identified and remediation, as we know. So Ponemon’s study also takes a swing at estimating the cost of all the malicious software that isn’t identified and the damage caused to organizations by that. There’s a lot of back of the envelope type calculations, but the report really breaks the cost of undetected malware down into buckets like malicious data exfiltration, business disruption, to arrive at an annual cost of around $3.1 million per year for the average company. Phishing’s share of that is around $338,000 per year.
It’s an interesting report, especially in its attempts to estimate the cost of undetected security breaches and incidents, not just the attacks that are spotted and remediated. Of course, the small sample size and the use of respondents’ estimates of annual costs mean that all these figures should have a big asterisk next to them.
It also underscores the need for better data on the costs of malicious cyber attacks and other online attacks, from DDoS attacks to malware infections and credential theft. Without reliable data, companies will have a hard time justifying security spending as anything more than aspirational.
As this blog has noted before: the insurance industry is the best positioned to provide clarity in this area, using claims data to help put real numbers on many of the different categories of threats and incidents that Ponemon is trying to explore. But that process is slow going, as insurance companies are expanding cautiously into the cyber insurance market and have been unwilling, so far, to underwrite many categories of cyber risk.