Skip to main content

Economic Effectiveness of Mitigation and Resilience

  • Chapter
  • First Online:
Cyber Resilience of Systems and Networks

Part of the book series: Risk, Systems and Decisions ((RSD))

  • 2570 Accesses

Abstract

Implementation of means for enhancing cyber resilience, such as those discussed in the preceding chapters, costs money. Is this a worthwhile investment? This chapter provides an economic perspective on how to choose the most economically appropriate approaches to improving cyber resilience. These considerations are rather complex. For example, property damage, except for destruction of data, has thus far been a relatively minor cost of cyber threats, in contrast to instances of significant loss of functionality of a cyber system itself or the system it helps operate. The latter translates into loss of output (sales revenue and profits) and loss of employment, and is often referred to as business interruption (BI). Thus, in addition to pre-event mitigation, post-disaster strategies that enable a system to rebound more efficiently and quickly offer the prospects of greatly reducing BI. Moreover, there are numerous resilience tactics that comprise a strategy on both the cyber service provider side and customer side, many of which are relatively inexpensive. The latter include backup data storage and equipment, substitutes for standard cyber components, conserving on cyber needs, and recapturing lost production once the cyber capability is restored. This chapter describes the analysis based on basic principles of economics and is couched in a benefit-cost analysis (BCA) framework as an aid to decision-making. This chapter goes beyond the conceptual level and offers estimates of the costs and effectiveness of various mitigation and resilience tactics.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    In this chapter, we do not address aspects of cybercrime.

  2. 2.

    The value of an asset is the discounted flow of net future returns from its operation. Hence, for ordinary property damage, the stock and flow measures represent the same thing, and, at first pass, including both would involve double-counting. The situation is, however, complicated in the case of most hazards. This is a controversial subject, but we take the view that it is appropriate to include both the stock and flow measures in the case of damaged property, but only where the latter is confined to the opportunity costs of delays in restoring production because of the repair and reconstruction process.

  3. 3.

    Indirect effects can also be associated with stock losses or property damage (e.g., earthquakes causing damage from fires, hazardous materials leakages, and buildings made more vulnerable to subsequent weather damage). However, except in extreme cases, such as the 2011 Japanese earthquake and tsunami followed by the Fukushima nuclear reactor accident, these indirect stock effects are likely to be relatively small when compared with the flow-induced indirect losses.

  4. 4.

    Some further clarification is in order. First, the current line of demarcation between direct and indirect effects is somewhat arbitrary, specifically, the convention of counting business losses due to cut-off from utility lifelines as direct effects. There is equal justification for considering these to be first-round indirect effects. The advantage to including these as direct losses is that it emphasizes the key role of utilities and infrastructure in the economy, and emphasizes their prominent role in contributing to losses. Also, it helps ensure that these effects will be taken into account, because most analysts are not able to or do not bother to consider what are termed “indirect” effects.

  5. 5.

    Note that we allow for the addition of capital stocks (plants and equipment) and flows of services emanating from them for reasons spelled out in footnote 8.

  6. 6.

    Certain types of malware detection programs include a quarantining function as a response to intrusions that coincides more so with the next alternative: coordinated defense

  7. 7.

    Diversity is only considered effective when done correctly by security professionals. Unintended or ad hoc diversity quite often creates gaps, increasing intruder access points, and can significantly decrease cyber security (Russell, 2015).

  8. 8.

    Some excess capacity is often planned for, in order to enhance normal business flexibility or to accommodate downtime for maintenance; these aspects should not be credited to disaster resilience.

  9. 9.

    This option is not currently allowed under net-neutrality laws. However, given the recent proposed changes to those laws, and the success of these premiums in other domains, such as electricity service provision, it is worth considering.

  10. 10.

    Similar to excess capacity, some instances of input isolation, where some production activities are separated from the need for one or more inputs, are inherent in the system and should likewise not be credited to resilience unless it is expressly done for that purpose.

  11. 11.

    BCA refers to the assessment of all relevant benefits and costs of a deliberate course of action. In its broadest form, BCA is typically applied to public policy and public actions , such that the relevant aspects include benefits and costs to society as a whole, including joint-product benefits and externalities, both market and nonmarket (see, e.g., Boardman et al., 2011). As such, it typically applies to decisions made by government agencies on the part of their constituents (society as a whole in their jurisdiction). The term BCA, however, is often applied to calculations of individual businesses and households regarding investment and other resource allocation decisions. In these cases, the relevant costs are typically just private costs, for instance, those incurred or received only by the decision-maker. In this article, we use the term BCA broadly to include both private- and public-sector decision-making. Most of the principles of BCA are relatively straightforward, and we only elaborate on them when they are complicated and relevant to issues discussed in this article.

  12. 12.

    The order-of-magnitude estimates stem from a simple back-of-the-envelope calculation. Electricity and water inputs represent less than 5% each on average of total production costs of nearly all businesses in the economy. Assuming that rates of return (or profit rates in general) are reasonably equal across all business enterprises, again on average, this means that net revenue losses are more than 20 times higher for the economy than for the utility supplier. Moreover, this number increases when indirect (multiplier or general equilibrium) effects are taken into account.

  13. 13.

    Here, MB2 pertains to a different case than the multi-threat resilience benefits discussed in the previous paragraph. We have chosen not to insert a separate MB curve to avoid cluttering the figure. Strictly speaking, only resilience tactics that have this characteristic (mainly supply-side ones) would have their MB segments raised. This would make for a likely non-monotonically increasing or decreasing MB curve and would complicate the identification of an optimum.

References

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Adam Rose .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer International Publishing AG, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Rose, A., Miller, N., Eyer, J., Banks, J. (2019). Economic Effectiveness of Mitigation and Resilience. In: Kott, A., Linkov, I. (eds) Cyber Resilience of Systems and Networks. Risk, Systems and Decisions. Springer, Cham. https://doi.org/10.1007/978-3-319-77492-3_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-77492-3_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-77491-6

  • Online ISBN: 978-3-319-77492-3

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics